Error with SSL keystore when trying to do remote reindex

Hi,

I'm trying to perform a remote reindex and the remote ES has been configured with SSL by someone else. I was able to get the abc.p12 cert of the remote ES, as well as the password that was auto-generated (an alpha-numeric string).

I'm not very familiar with the TLS/cert concept and I'm a bit confused as to what I should do.

I currently have the following configurations in my /etc/elasticsearch/elasticsearch.yml.

reindex.remote.whitelist: ["x.x.x.x:9200"]
reindex.ssl.keystore.path: abc.p12

xpack.security.enabled: true
xpack.security.http.ssl.enabled: false

xpack.security.enrollment.enabled: true

xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/t.p12
  truststore.path: certs/t.p12

I'm taking this page as reference.

I overwrote the xpack.security.transport.ssl.keystore.secure_password and xpack.security.transport.ssl.truststore.secure_password with the one I have for abc.p12. However, I got the error message failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured [PKCS12] keystore (as a truststore) [/etc/elasticsearch/certs/t.p12] - this is usually caused by an incorrect password; (a keystore password was provided).

If I don't overwrite the 2 passwords, then I get another error instead: cannot read configured [PKCS12] keystore [/etc/elasticsearch/abc.p12] - this is usually caused by an incorrect password

t.p12 was used by the previous administrator to reindex from other remote ES. I'm not really sure if I need to provide my own t.p12 (or what it is for, actually).

What should I do?

Thank you.

abc.p12 and t.p12 are two different keystore files. Do they share the same password? In any case, you need configure their passwords separately because they are different settings, one is for reindex SSL and the other is for transport SSL.

You can refer this page for configuring SSL settings for reindex.

abc.p12 and t.p12 have different passwords.

So I would need to run

bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password and
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
with the t.p12 password and

bin/elasticsearch-keystore add reindex.ssl.keystore.secure_password
with the abc.p12 password?

I set the passwords as mentioned and it works now.

Tips to Fix SSL Certificate Error
Diagnose the problem with an online tool.
Install an intermediate certificate on your web server.
Generate a new Certificate Signing Request.
Upgrade to a dedicated IP address.
Get a wildcard SSL certificate.
Change all URLS to HTTPS.
Renew your SSL certificate.

Greeting,
Rachel Gomez

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.