Failed to ADD xpack.security.http.ssl.enabled

Hi ,

I am trying to make elastic search http endpoints and HTTPS endpoints
I generated certs from cert manager

[2018-10-13T21:07:50,096][DEBUG][o.e.x.c.s.SSLService ] [es-coordinating] using ssl settings [SSLConfiguration{keyConfig=[NONE], trustConfig=JDK trusted certs], cipherSuites=[[TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA]], supportedProtocols=[[TLSv1.2, TLSv1.1, TLSv1]], sslClientAuth=[REQUIRED], verificationMode=[FULL]}]
[2018-10-13T21:07:50,202][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [es-coordinating] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.core.XPackPlugin]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:140) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:127) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.3.0.jar:6.3.0]
at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.3.0.jar:6.3.0]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:86) ~[elasticsearch-6.3.0.jar:6.3.0]
Caused by: java.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.core.XPackPlugin]
Caused by: java.lang.IllegalArgumentException: Setting [secure_key_passphrase] is a secure setting and must be stored inside the Elasticsearch keystore, but was found inside elasticsearch.yml

at org.elasticsearch.common.settings.SecureSetting.get(SecureSetting.java:88) ~[elasticsearch-6.3.0.jar:6.3.0]

at org.elasticsearch.xpack.core.ssl.CertUtils.createKeyConfig(CertUtils.java:195) ~[?:?]

at org.elasticsearch.xpack.core.ssl.SSLConfiguration.createKeyConfig(SSLConfiguration.java:187) ~[?:?]

at org.elasticsearch.xpack.core.ssl.SSLConfiguration.<init>(SSLConfiguration.java:70) ~[?:?]

at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$0(SSLService.java:453) ~[?:?]

at java.util.ArrayList.forEach(ArrayList.java:1378) ~[?:?]

at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:452) ~[?:?]

at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:79) ~[?:?]

at org.elasticsearch.xpack.core.XPackPlugin.<init>(XPackPlugin.java:134) ~[?:?]

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:488) ~[?:?]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:692) ~[elasticsearch-6.3.0.jar:6.3.0]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:643) ~[elasticsearch-6.3.0.jar:6.3.0]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:557) ~[elasticsearch-6.3.0.jar:6.3.0]

at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:162) ~[elasticsearch-6.3.0.jar:6.3.0]

at org.elasticsearch.node.Node.<init>(Node.java:311) ~[elasticsearch-6.3.0.jar:6.3.0]

at org.elasticsearch.node.Node.<init>(Node.java:252) ~[elasticsearch-6.3.0.jar:6.3.0]

at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.3.0.jar:6.3.0]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.3.0.jar:6.3.0]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.3.0.jar:6.3.0]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.3.0.jar:6.3.0]
Caused by: java.lang.IllegalArgumentException: Setting [secure_key_passphrase] is a secure setting and must be stored inside the Elasticsearch keystore, but was found inside elasticsearch.yml

at org.elasticsearch.common.settings.SecureSetting.get(SecureSetting.java:88) ~[elasticsearch-6.3.0.jar:6.3.0]

at org.elasticsearch.xpack.core.ssl.CertUtils.createKeyConfig(CertUtils.java:195) ~[?:?]

at org.elasticsearch.xpack.core.ssl.SSLConfiguration.createKeyConfig(SSLConfiguration.java:187) ~[?:?]

at org.elasticsearch.xpack.core.ssl.SSLConfiguration.<init>(SSLConfiguration.java:70) ~[?:?]

at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$0(SSLService.java:453) ~[?:?]

at java.util.ArrayList.forEach(ArrayList.java:1378) ~[?:?]

at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:452) ~[?:?]

at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:79) ~[?:?]

at org.elasticsearch.xpack.core.XPackPlugin.<init>(XPackPlugin.java:134) ~[?:?]

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:488) ~[?:?]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:692) ~[elasticsearch-6.3.0.jar:6.3.0]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:643) ~[elasticsearch-6.3.0.jar:6.3.0]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:557) ~[elasticsearch-6.3.0.jar:6.3.0]

at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:162) ~[elasticsearch-6.3.0.jar:6.3.0]

at org.elasticsearch.node.Node.<init>(Node.java:311) ~[elasticsearch-6.3.0.jar:6.3.0]

at org.elasticsearch.node.Node.<init>(Node.java:252) ~[elasticsearch-6.3.0.jar:6.3.0]

at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.3.0.jar:6.3.0]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.3.0.jar:6.3.0]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.3.0.jar:6.3.0]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.3.0.jar:6.3.0]

Hi @rmadoori,

This

leads me thinking that you have not used Secure settings for at least one *.ssl.secure_key_passphrase setting, and instead you have specified it inside the elasticsearch.yml config file.

For example, to set the passphrase for the private key used for https communication run
bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase in ES home.

Hi,

I am Running cluster on kubernetes using docker containers

Thanks For responsing i have removed passphrase for my certs and it worked .
Next thing is i am running in cluster mode i have master-node data-node coordinating-node how to make sure that they all communicate cause previously since its http i dint have to do any thing .
but now since its https do i need to add the certs accross all nodes for communication ?

My elasticsearch.yaml for coordinating node looks like this

 `elasticsearch.yml: |
cluster.name: es-cluster
node.master: false
node.data: false
node.name: es-coordinating
node.ingest: false
network.host: 0.0.0.0
http.port: 9200
discovery.zen.minimum_master_nodes: 1

discovery.zen.ping.unicast.hosts: ["es-coordinating","es-master","es-data"]
node.ml: false
xpack.security.enabled: true
xpack.ml.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /usr/share/elasticsearch/data/certs/tls.key
xpack.security.http.ssl.certificate: /usr/share/elasticsearch/data/certs/tls.crt`

Hi @rmadoori,

Have you checked the docs for the Elasticsearch docker container about TLS encryption?
configuring-tls-docker
It creates a two node cluster. You can extend that configuration to your needs.
The example that I've pointed you at has a "fire-once" container configuration that is generating the certificates. The TLS configuration that is used is certificate validation mode.

Moreover, I see from the node configuration that you are sharing that you're only setting TLS for the HTTP layer.
From the Configurting Security guide, at point 4, TLS is required only for the internode-communication . You don't have such settings in your config file.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.