Failed signature check

Hello,

I got an extended trial license for "Elastic Cloud on Kubernetes". At least I expect the license is for that product.

Following the instructions out of the mail for ECK.

To install the license, please follow the instructions in our documentation:

I can only find this error message:

{"log.level":"error","@timestamp":"2021-11-24T10:48:13.496Z","log.logger":"license","message":"Failed signature check","service.version":"1.8.0+4f367c38","service.type":"eck","ecs.version":"1.4.0","error":"crypto/rsa: verification error","error.stack_trace":"github.com/elastic/cloud-on-k8s/pkg/controller/common/license.(*Verifier).Valid\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/controller/common/license/verifier.go:35\ngithub.com/elastic/cloud-on-k8s/pkg/controller/common/license.(*checker).Valid\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/controller/common/license/check.go:111\ngithub.com - This website is for sale! - ngithub Resources and Information.).CurrentEnterpriseLicense\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/controller/common/license/check.go:77\ngithub.com/elastic/cloud-on-k8s/pkg/license.LicensingResolver.getOperatorLicense\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/license/license.go:135\ngithub.com/elastic/cloud-on-k8s/pkg/license.LicensingResolver.ToInfo\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/license/license.go:79\ngithub.com/elastic/cloud-on-k8s/pkg/license.ResourceReporter.Get\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/license/reporter.go:74\ngithub.com/elastic/cloud-on-k8s/pkg/license.ResourceReporter.Report\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/license/reporter.go:58\ngithub.com/elastic/cloud-on-k8s/pkg/license.ResourceReporter.Start\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/license/reporter.go:49\ngithub.com/elastic/cloud-on-k8s/cmd/manager.asyncTasks.func1\n\t/go/src/github.com/elastic/cloud-on-k8s/cmd/manager/main.go:612"}
{"log.level":"info","@timestamp":"2021-11-24T10:48:13.497Z","log.logger":"generic-reconciler","message":"Updating resource","service.version":"1.8.0+4f367c38","service.type":"eck","ecs.version":"1.4.0","kind":"ConfigMap","namespace":"elastic-system","name":"elastic-licensing"}
{"log.level":"error","@timestamp":"2021-11-24T10:50:13.497Z","log.logger":"license","message":"Failed signature check","service.version":"1.8.0+4f367c38","service.type":"eck","ecs.version":"1.4.0","error":"crypto/rsa: verification error","error.stack_trace":"github.com/elastic/cloud-on-k8s/pkg/controller/common/license.(*Verifier).Valid\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/controller/common/license/verifier.go:35\ngithub.com/elastic/cloud-on-k8s/pkg/controller/common/license.(*checker).Valid\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/controller/common/license/check.go:111\ngithub.com/elastic/cloud-on-k8s/pkg/controller/common/license.(*checker).CurrentEnterpriseLicense\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/controller/common/license/check.go:77\ngithub.com - This website is for sale! - ngithub Resources and Information."}
{"log.level":"info","@timestamp":"2021-11-24T10:50:13.497Z","log.logger":"generic-reconciler","message":"Updating resource","service.version":"1.8.0+4f367c38","service.type":"eck","ecs.version":"1.4.0","kind":"ConfigMap","namespace":"elastic-system","name":"elastic-licensing"}

Still on the basic license level.

kubectl -n elastic-system get configmap elastic-licensing -o json | jq .data

{
"eck_license_level": "basic",
"enterprise_resource_units": "1",
"timestamp": "2021-11-22T15:28:13Z",
"total_managed_memory": "7.52GB"
}

Secret seems fine

> kind: Secret
> apiVersion: v1
> metadata:
>   name: eck-license
>   namespace: elastic-system
>   selfLink: /api/v1/namespaces/elastic-system/secrets/eck-license
>   uid: c89f5384-00c8-44a2-a132-5bbd415f4606
>   resourceVersion: '228887552'
>   creationTimestamp: '2021-11-18T09:50:39Z'
>   labels:
>     license.k8s.elastic.co/scope: operator
>   managedFields:
>     - manager: kubectl-create
>       operation: Update
>       apiVersion: v1
>       time: '2021-11-18T09:50:39Z'
>       fieldsType: FieldsV1
>       fieldsV1:
>         'f:data':
>           .: {}
>           'f:ngda-netzgesellschaft-deutscher-apotheker-mbh-2b4f91f2-dc5e-467f-a9e1-7121b21ac33d-non_production-stack-v7.json': {}
>         'f:type': {}
>     - manager: kubectl-label
>       operation: Update
>       apiVersion: v1
>       time: '2021-11-18T09:51:04Z'
>       fieldsType: FieldsV1
>       fieldsV1:
>         'f:metadata':
>           'f:labels':
>             .: {}
>             'f:license.k8s.elastic.co/scope': {}
> data:
>   ngda-netzgesellschaft-deutscher-apotheker-mbh-2b4f91f2-dc5e-467f-a9e1-7121b21ac33d-non_production-stack-v7.json: >-
>     eyJsaWNlbnNlIjp7InVpZCI6...NjM3MTA3MjAwMDAwfX0=
> type: Opaque

I think something went wrong when you created that secret. The recommended way is to use the create secret feature in kubectl

kubectl create secret generic eck-license --from-file=my-license-file.json -n elastic-system
kubectl label secret eck-license "license.k8s.elastic.co/scope"=operator -n elastic-system

If I look at the license you shared in your post I looks like a bit of your license was cut off at the end. NjM3MTA3MjAwMDAwfX0= is what you shared, when it should be NjM3MTA3MjAwMDAwfX1dfX0= so a few closing parentheses were cut off.

Hello Peter,

thank you for your help!

I did it with the recommended way.

The data ist 1:1 the same like in the .json if I compare it local. So I guess that is fine.

NjM3MTA3MjAwMDAwfX0=
Did not cut off the ending. This is how it looks like in the .yaml

A bit more info.

ECK 1.8
Elastic/Metricbeat/Kibana version 7.15.0
Azure Redhat Openshift Cluster 4.7.x

That is what I mean, you are missing the closing ]}} parentheses here. The document you have in the secret is not valid JSON. I am not sure where this got lost, maybe a copy paste mistake?

I realised too late that this is the wrong license type, this is an individual Elasticsearch cluster license but the ECK operator needs an orchestration license. You need to either download the correct type or reach out to your contact at Elastic to provide your with the correct license. Sorry about that.

1 Like