/etc/elasticsearch/certs/ - 3 files

I saw there is a directory /etc/elasticsearch/certs/ and inside there are three files: http_ca.crt, http.p12 and transport.p12. What if these files were deleted? Is there a way to generate new ones?

Hi @Timberwolve77 Welcome to the community.

Don't delete them :wink:

But yes there is a quite detailed tool to recreate them.

And you would follow these instructions

And you would probably. need to fix kibana settings to if you already did automatic setup.

1 Like
root@elastic:/usr/share/elasticsearch/bin# ./elasticsearch-certutil http

Elasticsearch HTTP Certificate Utility

The 'http' command guides you through the process of generating certificates
for use on the HTTP (Rest) interface for Elasticsearch.

This tool will ask you a number of questions in order to generate the right
set of files for your needs.

Do you wish to generate a Certificate Signing Request (CSR)?

A CSR is used when you want your certificate to be created by an existing
Certificate Authority (CA) that you do not control (that is, you don't have
access to the keys for that CA).

If you are in a corporate environment with a central security team, then you
may have an existing Corporate CA that can generate your certificate for you.
Infrastructure within your organisation may already be configured to trust this
CA, so it may be easier for clients to connect to Elasticsearch if you use a
CSR and send that request to the team that controls your CA.

If you choose not to generate a CSR, this tool will generate a new certificate
for you. That certificate will be signed by a CA under your control. This is a
quick and easy way to secure your cluster with TLS, but you will need to
configure all your clients to trust that custom CA.

Generate a CSR? [y/N]N

Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?

If you have an existing CA certificate and key, then you can use that CA to
sign your new http certificate. This allows you to use the same CA across
multiple Elasticsearch clusters which can make it easier to configure clients,
and may be easier for you to manage.

If you do not have an existing CA, one will be generated for you.

Use an existing CA? [y/N]y

What is the path to your CA?

Please enter the full pathname to the Certificate Authority that you wish to
use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
(.jks) or PEM (.crt, .key, .pem) format.

CA Path: /usr/share/elasticsearch/elastic-stack-ca.p12

Reading a PKCS12 keystore requires a password.
It is possible for the keystore's password to be blank,
in which case you can simply press at the prompt
Password for elastic-stack-ca.p12:

I am typing the password correctly but keep receiving this error...

Exception in thread "main" org.elasticsearch.ElasticsearchException: Failed to read keystore /usr/share/elasticsearch/elastic-stack-ca.p12
        at org.elasticsearch.xpack.security.cli.HttpCertificateCommand.readKeystoreCA(HttpCertificateCommand.java:1028)
        at org.elasticsearch.xpack.security.cli.HttpCertificateCommand.findExistingCA(HttpCertificateCommand.java:816)
        at org.elasticsearch.xpack.security.cli.HttpCertificateCommand.execute(HttpCertificateCommand.java:171)
        at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:54)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
        at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:94)
        at org.elasticsearch.xpack.security.cli.CertificateTool.execute(CertificateTool.java:160)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
        at org.elasticsearch.cli.Command.main(Command.java:50)
        at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:64)
Caused by: java.io.IOException: keystore password was incorrect
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2097)
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:228)
        at java.base/java.security.KeyStore.load(KeyStore.java:1500)
        at org.elasticsearch.common.ssl.KeyStoreUtil.readKeyStore(KeyStoreUtil.java:72)
        at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readKeyPairsFromKeystore(CertParsingUtils.java:105)
        at org.elasticsearch.xpack.security.cli.HttpCertificateCommand.readKeystoreCA(HttpCertificateCommand.java:1013)
        ... 9 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        ... 15 more

What version are you using?

Are there special characters in the password (should be ok)?

I just ran the process and it worked fine... with 8.8.0

Are you sure you are referencing the correct elastic-stack-ca.p12? I asked because when you ran the CA part did you give it a full path ... without it may put it in an unexpected place.

1 Like

What version are you using? 8.8.0

Are there special characters in the password (should be ok)? Yes.

I just ran the process and it worked fine...

Are you sure you are referencing the correct elastic-stack-ca.p12? The original is in /usr/share/elasticsearch/ and there is a copy in /etc/elasticsearch. I guess if the password is forgotten or doesn't work just recreate the ca is my guess. I appreciate your help.

I suspect you are referencing the wrong one my suggestion always use full qualified path on create and reference. ... and yes if you forgot or lose you will need to recreate BUT typically you put that value in the elasticsearch keystore (not to be confused with the .p12 as a keystore ... to0 many uses of the word keystore)

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.