Error with SSL keystore when trying to do remote reindex


I'm trying to perform a remote reindex and the remote ES has been configured with SSL by someone else. I was able to get the abc.p12 cert of the remote ES, as well as the password that was auto-generated (an alpha-numeric string).

I'm not very familiar with the TLS/cert concept and I'm a bit confused as to what I should do.

I currently have the following configurations in my /etc/elasticsearch/elasticsearch.yml.

reindex.remote.whitelist: ["x.x.x.x:9200"]
reindex.ssl.keystore.path: abc.p12 true false true
  enabled: true
  verification_mode: certificate
  keystore.path: certs/t.p12
  truststore.path: certs/t.p12

I'm taking this page as reference.

I overwrote the and with the one I have for abc.p12. However, I got the error message failed to load SSL configuration [] - cannot read configured [PKCS12] keystore (as a truststore) [/etc/elasticsearch/certs/t.p12] - this is usually caused by an incorrect password; (a keystore password was provided).

If I don't overwrite the 2 passwords, then I get another error instead: cannot read configured [PKCS12] keystore [/etc/elasticsearch/abc.p12] - this is usually caused by an incorrect password

t.p12 was used by the previous administrator to reindex from other remote ES. I'm not really sure if I need to provide my own t.p12 (or what it is for, actually).

What should I do?

Thank you.

abc.p12 and t.p12 are two different keystore files. Do they share the same password? In any case, you need configure their passwords separately because they are different settings, one is for reindex SSL and the other is for transport SSL.

You can refer this page for configuring SSL settings for reindex.

abc.p12 and t.p12 have different passwords.

So I would need to run

bin/elasticsearch-keystore add and
bin/elasticsearch-keystore add
with the t.p12 password and

bin/elasticsearch-keystore add reindex.ssl.keystore.secure_password
with the abc.p12 password?

I set the passwords as mentioned and it works now.

Tips to Fix SSL Certificate Error
Diagnose the problem with an online tool.
Install an intermediate certificate on your web server.
Generate a new Certificate Signing Request.
Upgrade to a dedicated IP address.
Get a wildcard SSL certificate.
Change all URLS to HTTPS.
Renew your SSL certificate.

Rachel Gomez

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.