Fail to read ssl configuration

Hi all!!
I have problem when try to configure ssl and https for Elasticsearch, i have Elasticsearch container in my localhost. I use "docker-compose up -d" for start Elasticsearch container and exec to it by root user. (I use Elasticsearch 8.1.3 image)
After that i following 2 command to create CA Certificate

./bin/elasticsearch-certutil ca --pem
./bin/elasticsearch-certutil ca 
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --pem

I not use password for CA and cert. and i unzip "certificate-bundle.zip" and "elastic-stack-ca.zip" and i have "ca" folder and "instance" folder. Inside "ca" folder i have "ca.crt" and "ca.key", inside "instance" folder i have "instance.crt" and "instance.key".
I copy "ca.crt", "ca.key", "instance.crt, "instance.key" file to /etc/Elasticsearch/ path by command:

mkdir /etc/elasticsearch
cp -r ca/ca.* /etc/elasticsearch/
chmod 644 /etc/elasticsearch/ca.*
cp -r instance/instance.* /etc/elasticsearch/
chmod 644 /etc/elasticsearch/instance.*

(Note that: I don't know why in my Elasticsearch container don't have defalt /etc/Elasticsearch path)

After 4 command i have:
Screen Shot 2022-05-24 at 4.15.36 PM
and here is my Elasticsearch.yml file:

---
## Default Elasticsearch configuration from Elasticsearch base image.
## https://github.com/elastic/elasticsearch/blob/master/distribution/docker/src/docker/config/elasticsearch.yml
#
cluster.name: "docker-cluster"
network.host: 0.0.0.0

## X-Pack settings
## see https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html
#
xpack.license.self_generated.type: basic
xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: /etc/elasticsearch/instance.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/instance.crt
xpack.security.transport.ssl.certificate_authorities: /etc/elasticsearch/ca/ca.crt

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/elasticsearch/instance.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/instance.crt
xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/ca/ca.crt

I restart my Elasticsearch container and see log by command "docker logs -f Elasticsearch" and got error:

failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured PEM certificate_authorities [/etc/elasticsearch/ca/ca.crt] because access to read the file is blocked; SSL resources should be placed in the [/usr/share/elasticsearch/config] directory
Likely root cause: java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/elasticsearch/ca/ca.crt" "read")

Do you have any suggestions for me? I'm new in Elasticsearch
Thanks for support me :slight_smile:

I have success to setup ssl for Elasticsearch, the cause came from the error of the path to the certificate directory, I created the certificates under the new path "/usr/share/Elasticsearch/config/certs/" and the Elasticsearch configure file should look like this:

---
## Default Elasticsearch configuration from Elasticsearch base image.
## https://github.com/elastic/elasticsearch/blob/master/distribution/docker/src/docker/config/elasticsearch.yml
#
cluster.name: "docker-cluster"
network.host: 0.0.0.0

## X-Pack settings
## see https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html
#
xpack.license.self_generated.type: basic
xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: certs/instance/instance.key
xpack.security.transport.ssl.certificate: certs/instance/instance.crt
xpack.security.transport.ssl.certificate_authorities: certs/ca/ca.crt

xpack.security.http.ssl.enabled: false
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: certs/instance/instance.key
xpack.security.http.ssl.certificate: certs/instance/instance.crt
xpack.security.http.ssl.certificate_authorities: certs/ca/ca.crt

In my "/usr/share/Elasticsearch/config" path have:

I restart Elasticsearch and see to logs look like it working and does not have any error in log.
I use command:

curl --cacert /usr/share/elasticsearch/config/certs/ca/ca.crt -u elastic 'http://localhost:9200/'

And it return:

{
  "name" : "1fb876c9bfd6",
  "cluster_name" : "docker-cluster",
  "cluster_uuid" : "BpJfoEk6SBWK2eKLzN8ZkA",
  "version" : {
    "number" : "8.1.3",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "39afaa3c0fe7db4869a161985e240bd7182d7a07",
    "build_date" : "2022-04-19T08:13:25.444693396Z",
    "build_snapshot" : false,
    "lucene_version" : "9.0.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

Hope this solution can help someone who is facing the same problem.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.