Error with SSL keystore when trying to do remote reindex

hjazz6 · October 31, 2022, 9:23am

Hi,

I'm trying to perform a remote reindex and the remote ES has been configured with SSL by someone else. I was able to get the abc.p12 cert of the remote ES, as well as the password that was auto-generated (an alpha-numeric string).

I'm not very familiar with the TLS/cert concept and I'm a bit confused as to what I should do.

I currently have the following configurations in my /etc/elasticsearch/elasticsearch.yml.

reindex.remote.whitelist: ["x.x.x.x:9200"]
reindex.ssl.keystore.path: abc.p12

xpack.security.enabled: true
xpack.security.http.ssl.enabled: false

xpack.security.enrollment.enabled: true

xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/t.p12
  truststore.path: certs/t.p12

I'm taking this page as reference.

I overwrote the xpack.security.transport.ssl.keystore.secure_password and xpack.security.transport.ssl.truststore.secure_password with the one I have for abc.p12. However, I got the error message failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured [PKCS12] keystore (as a truststore) [/etc/elasticsearch/certs/t.p12] - this is usually caused by an incorrect password; (a keystore password was provided).

If I don't overwrite the 2 passwords, then I get another error instead: cannot read configured [PKCS12] keystore [/etc/elasticsearch/abc.p12] - this is usually caused by an incorrect password

t.p12 was used by the previous administrator to reindex from other remote ES. I'm not really sure if I need to provide my own t.p12 (or what it is for, actually).

What should I do?

Thank you.

Yang_Wang · November 3, 2022, 5:54am

abc.p12 and t.p12 are two different keystore files. Do they share the same password? In any case, you need configure their passwords separately because they are different settings, one is for reindex SSL and the other is for transport SSL.

You can refer this page for configuring SSL settings for reindex.

hjazz6 · November 3, 2022, 6:29am

abc.p12 and t.p12 have different passwords.

So I would need to run

bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password and
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
with the t.p12 password and

bin/elasticsearch-keystore add reindex.ssl.keystore.secure_password
with the abc.p12 password?

hjazz6 · November 4, 2022, 3:11am

I set the passwords as mentioned and it works now.

rachel_gomez · November 4, 2022, 7:53am

Tips to Fix SSL Certificate Error
Diagnose the problem with an online tool.
Install an intermediate certificate on your web server.
Generate a new Certificate Signing Request.
Upgrade to a dedicated IP address.
Get a wildcard SSL certificate.
Change all URLS to HTTPS.
Renew your SSL certificate.

Greeting,
Rachel Gomez

system · December 2, 2022, 7:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cannot read configured [PKCS12] keystore (as a truststore) Elasticsearch elastic-stack-security	1	7058	November 2, 2022
SSL ISSUE FOR ELASTIC APM agent-explorer	2	237	July 28, 2023
ElasticSearch with SSL? Elasticsearch elastic-stack-security	12	21805	November 28, 2019
X-Pack security TLS/SSL not working with own certificates Elasticsearch elastic-stack-security	5	3487	November 14, 2018
Problem with keystore password was incorrect Elasticsearch elastic-stack-security	7	38055	March 23, 2019

Error with SSL keystore when trying to do remote reindex

Related Topics