Fail to load SSL configuration while using docker image

x0rcist · April 29, 2020, 2:09am

Hi,

Trying to install Elasticsearch latest version via docker.

I have created certificate already and pushing it to image like below, excerpt from yml

volumes:
- ./elastic-stack-ca.p12:/usr/share/elasticsearch/config/elastic-stack-ca.p12

<stacktrace": ["org.elasticsearch.bootstrap.StartupException: ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager - not permitted to read truststore file [/usr/share/elasticsearch/config/elastic-stack-ca.p12]]; nested: AccessDeniedException[/usr/share/elasticsearch/config/elastic-stack-ca.p12]; />

I can see its access issue but not sure how to fix it. like how to grant access to that location cause docker container exits after that exception and can't use commands like exec --it bash to change the file permission.

Any thoughts

ikakavas · April 29, 2020, 9:28am

Assuming that you are using our official image ( and if you don't, you should ) , the user that elasticsearch runs under has a UID of 1000 so you should make sure that the elastic-stack-ca.p12 is owned by that user ( chown 1000:0 elastic-stack-ca.p12 ) or it is readable by all users.

x0rcist · April 29, 2020, 9:31am

thanks so should I add it as
CMD chowon 1000:0 elastic-stack-ca.p12
in the docker file or is there any better way?

x0rcist · April 29, 2020, 1:52pm

here is my yml file

version: '3'

services:

  elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:7.6.2
container_name: elasticsearch
environment:
  - node.name=elasticsearch
  - discovery.seed_hosts=elasticsearch
  - cluster.initial_master_nodes=elasticsearch
  - cluster.name=docker-cluster
  - bootstrap.memory_lock=true
  - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
 # - xpack.security.enabled=true
 # - xpack.security.transport.ssl.enabled=true
 # - xpack.security.transport.ssl.keystore.type=PKCS12
 # - xpack.security.transport.ssl.verification_mode=certificate
 # - xpack.security.transport.ssl.keystore.path=elastic-stack-ca.p12
 # - xpack.security.transport.ssl.truststore.path=elastic-stack-ca.p12
 # - xpack.security.transport.ssl.truststore.type=PKCS12
ulimits:
  memlock:
    soft: -1
    hard: -1
volumes:
  - ./elastic-stack-ca.p12:/usr/share/elasticsearch/config/elastic-stack-ca.p12
  - esdata1:/usr/share/elasticsearch/data
ports:
  - 9200:9200

*command: chown -R 1000:0 /usr/share/elasticsearch/*
  kibana:
image: docker.elastic.co/kibana/kibana:7.4.2
container_name: kibana
environment:
  ELASTICSEARCH_URL: "http://elasticsearch:9200"
  ELASTICSEARCH_USERNAME: "kibana"
  ELASTICSEARCH_PASSWORD: "kibana"
ports:
  - 5601:5601
depends_on:
  - elasticsearch

volumes:
  esdata1:
driver: local

I m not sure where to add the command so it run at appropriate time. tried few places but gives me error.

Any advise?

x0rcist · April 30, 2020, 9:20am

no love

dadoonet · April 30, 2020, 9:33am

Please be patient in waiting for responses to your question and refrain from pinging multiple times asking for a response or opening multiple topics for the same question. This is a community forum, it may take time for someone to reply to your question. For more information please refer to the Community Code of Conduct specifically the section "Be patient". Also, please refrain from pinging folks directly, this is a forum and anyone that participates might be able to assist you.

If you are in need of a service with an SLA that covers response times for questions then you may want to consider talking to us about a subscription.

It's fine to answer on your own thread after 2 or 3 days (not including weekends) if you don't have an answer.

x0rcist · April 30, 2020, 11:38am

I try to observe the code of conduct, its for our common good.

here is an except from the "Be patient" section
One reminder ping is welcome, many reminder pings in rapid succession are not a good display of patience.

As one can see I posted some details and then YML, to elaborate and then ping , one ping. So I thought I was under the norms. Had no intention flood it. I much appreciate volunteer response and we learn a lot from such forums. Respect and thanks for all contributors.

One comment though: wouldn't it be 'nicer' if some help was also provided besides policing .

ikakavas · April 30, 2020, 1:18pm

I stand with what David said above, please be patient, we all do our best around here

Not everyone has the time, insights, or a ready answer for each of the questions, that doesn't mean that bringing up the code of conduct of the forums is a bad approach. Don't consider this as policing, but rather as a friendly reminder. It had only been 19hrs since you asked the previous question

Answering your original question: you don't need to do this as part of your docker compose file. Do it once, for your existing elastic-stack-ca.p12 file and then map it as a volume, as you already do

system · May 28, 2020, 1:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.