Failed signature check

WookWook · November 24, 2021, 10:58am

Hello,

I got an extended trial license for "Elastic Cloud on Kubernetes". At least I expect the license is for that product.

Following the instructions out of the mail for ECK.

To install the license, please follow the instructions in our documentation:

Elastic Cloud Enterprise (ECE): Manage licenses | Elastic Cloud Enterprise Reference [3.6] | Elastic

Elastic Cloud on Kubernetes (ECK): Manage licenses in ECK | Elastic Cloud on Kubernetes [2.10] | Elastic

Self-managed cluster (Stack): License Management | Kibana Guide [8.11] | Elastic

I can only find this error message:

{"log.level":"error","@timestamp":"2021-11-24T10:48:13.496Z","log.logger":"license","message":"Failed signature check","service.version":"1.8.0+4f367c38","service.type":"eck","ecs.version":"1.4.0","error":"crypto/rsa: verification error","error.stack_trace":"github.com/elastic/cloud-on-k8s/pkg/controller/common/license.(*Verifier).Valid\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/controller/common/license/verifier.go:35\ngithub.com/elastic/cloud-on-k8s/pkg/controller/common/license.(*checker).Valid\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/controller/common/license/check.go:111\ngithub.com/elastic/cloud-on-k8s/pkg/controller/common/license.(*checker).CurrentEnterpriseLicense\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/controller/common/license/check.go:77\ngithub.com/elastic/cloud-on-k8s/pkg/license.LicensingResolver.getOperatorLicense\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/license/license.go:135\ngithub.com/elastic/cloud-on-k8s/pkg/license.LicensingResolver.ToInfo\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/license/license.go:79\ngithub.com/elastic/cloud-on-k8s/pkg/license.ResourceReporter.Get\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/license/reporter.go:74\ngithub.com/elastic/cloud-on-k8s/pkg/license.ResourceReporter.Report\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/license/reporter.go:58\ngithub.com/elastic/cloud-on-k8s/pkg/license.ResourceReporter.Start\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/license/reporter.go:49\ngithub.com/elastic/cloud-on-k8s/cmd/manager.asyncTasks.func1\n\t/go/src/github.com/elastic/cloud-on-k8s/cmd/manager/main.go:612"}
{"log.level":"info","@timestamp":"2021-11-24T10:48:13.497Z","log.logger":"generic-reconciler","message":"Updating resource","service.version":"1.8.0+4f367c38","service.type":"eck","ecs.version":"1.4.0","kind":"ConfigMap","namespace":"elastic-system","name":"elastic-licensing"}
{"log.level":"error","@timestamp":"2021-11-24T10:50:13.497Z","log.logger":"license","message":"Failed signature check","service.version":"1.8.0+4f367c38","service.type":"eck","ecs.version":"1.4.0","error":"crypto/rsa: verification error","error.stack_trace":"github.com/elastic/cloud-on-k8s/pkg/controller/common/license.(*Verifier).Valid\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/controller/common/license/verifier.go:35\ngithub.com/elastic/cloud-on-k8s/pkg/controller/common/license.(*checker).Valid\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/controller/common/license/check.go:111\ngithub.com/elastic/cloud-on-k8s/pkg/controller/common/license.(*checker).CurrentEnterpriseLicense\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/controller/common/license/check.go:77\ngithub.com/elastic/cloud-on-k8s/pkg/license.LicensingResolver.getOperatorLicense\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/license/license.go:135\ngithub.com/elastic/cloud-on-k8s/pkg/license.LicensingResolver.ToInfo\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/license/license.go:79\ngithub.com/elastic/cloud-on-k8s/pkg/license.ResourceReporter.Get\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/license/reporter.go:74\ngithub.com/elastic/cloud-on-k8s/pkg/license.ResourceReporter.Report\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/license/reporter.go:58\ngithub.com/elastic/cloud-on-k8s/pkg/license.ResourceReporter.Start\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/license/reporter.go:49\ngithub.com/elastic/cloud-on-k8s/cmd/manager.asyncTasks.func1\n\t/go/src/github.com/elastic/cloud-on-k8s/cmd/manager/main.go:612"}
{"log.level":"info","@timestamp":"2021-11-24T10:50:13.497Z","log.logger":"generic-reconciler","message":"Updating resource","service.version":"1.8.0+4f367c38","service.type":"eck","ecs.version":"1.4.0","kind":"ConfigMap","namespace":"elastic-system","name":"elastic-licensing"}

Still on the basic license level.

kubectl -n elastic-system get configmap elastic-licensing -o json | jq .data

{
"eck_license_level": "basic",
"enterprise_resource_units": "1",
"timestamp": "2021-11-22T15:28:13Z",
"total_managed_memory": "7.52GB"
}

Secret seems fine

> kind: Secret
> apiVersion: v1
> metadata:
>   name: eck-license
>   namespace: elastic-system
>   selfLink: /api/v1/namespaces/elastic-system/secrets/eck-license
>   uid: c89f5384-00c8-44a2-a132-5bbd415f4606
>   resourceVersion: '228887552'
>   creationTimestamp: '2021-11-18T09:50:39Z'
>   labels:
>     license.k8s.elastic.co/scope: operator
>   managedFields:
>     - manager: kubectl-create
>       operation: Update
>       apiVersion: v1
>       time: '2021-11-18T09:50:39Z'
>       fieldsType: FieldsV1
>       fieldsV1:
>         'f:data':
>           .: {}
>           'f:ngda-netzgesellschaft-deutscher-apotheker-mbh-2b4f91f2-dc5e-467f-a9e1-7121b21ac33d-non_production-stack-v7.json': {}
>         'f:type': {}
>     - manager: kubectl-label
>       operation: Update
>       apiVersion: v1
>       time: '2021-11-18T09:51:04Z'
>       fieldsType: FieldsV1
>       fieldsV1:
>         'f:metadata':
>           'f:labels':
>             .: {}
>             'f:license.k8s.elastic.co/scope': {}
> data:
>   ngda-netzgesellschaft-deutscher-apotheker-mbh-2b4f91f2-dc5e-467f-a9e1-7121b21ac33d-non_production-stack-v7.json: >-
>     eyJsaWNlbnNlIjp7InVpZCI6...NjM3MTA3MjAwMDAwfX0=
> type: Opaque

pebrc · November 25, 2021, 9:05am

I think something went wrong when you created that secret. The recommended way is to use the create secret feature in kubectl

kubectl create secret generic eck-license --from-file=my-license-file.json -n elastic-system
kubectl label secret eck-license "license.k8s.elastic.co/scope"=operator -n elastic-system

If I look at the license you shared in your post I looks like a bit of your license was cut off at the end. NjM3MTA3MjAwMDAwfX0= is what you shared, when it should be NjM3MTA3MjAwMDAwfX1dfX0= so a few closing parentheses were cut off.

WookWook · November 25, 2021, 9:37am

Hello Peter,

thank you for your help!

I did it with the recommended way.

The data ist 1:1 the same like in the .json if I compare it local. So I guess that is fine.

NjM3MTA3MjAwMDAwfX0=
Did not cut off the ending. This is how it looks like in the .yaml

WookWook · November 25, 2021, 9:42am

A bit more info.

ECK 1.8
Elastic/Metricbeat/Kibana version 7.15.0
Azure Redhat Openshift Cluster 4.7.x

pebrc · November 25, 2021, 10:02am

That is what I mean, you are missing the closing ]}} parentheses here. The document you have in the secret is not valid JSON. I am not sure where this got lost, maybe a copy paste mistake?

I realised too late that this is the wrong license type, this is an individual Elasticsearch cluster license but the ECK operator needs an orchestration license. You need to either download the correct type or reach out to your contact at Elastic to provide your with the correct license. Sorry about that.

system · January 10, 2022, 12:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.