TimV, thanks for your answer. Exact failure is that cluster isn't health, isn't it?
I agree about the incorrectness of the config, but how should it look? I tried this
but got an error:
2021-07-06T06:59:07.843098542Z FATAL Error: ENOENT: no such file or directory, open '/usr/share/elasticsearch/config/certificates/Root_CA_2012.cer,/usr/share/elasticsearch/config/certificates/Sub2_CA_2012.cer'
At the same time, it is interesting that the container itself contains these certificates while the container is alive (kibana alived a few seconds and then got status "Exited"):
# docker exec -it kib01 /bin/bash
bash-4.4$ ls /usr/share/elasticsearch/config/certificates/
Root_CA_2012.cer Sub2_CA_2012.cer ...
I also tried config with PKCS12 (solutions 1 and 2 from Can't start ES 7.3.0 with x-pack security enabled):
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.verification_mode=certificate
- xpack.security.http.ssl.keystore.type=PKCS12
- xpack.security.http.ssl.truststore.type=PKCS12
- xpack.security.http.ssl.keystore.secure_password=
- xpack.security.http.ssl.truststore.secure_password=
- xpack.security.http.ssl.keystore.path=$CERTS_DIR/elk-dkb-test_nopas.p12
- xpack.security.http.ssl.truststore.path=$CERTS_DIR/elk-dkb-test_nopas.p12
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.keystore.type=PKCS12
- xpack.security.transport.ssl.truststore.type=PKCS12
- xpack.security.transport.ssl.keystore.path=$CERTS_DIR/elk-dkb-test_nopas.p12
- xpack.security.transport.ssl.truststore.path=$CERTS_DIR/elk-dkb-test_nopas.p12
but received an errors, solution 1:
2021-07-06T09:31:52.230550017Z "stacktrace": ["org.elasticsearch.bootstrap.StartupException: ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager]; nested: IOException[keystore password was incorrect]; nested: UnrecoverableKeyException[failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.];",
...
2021-07-06T09:31:52.230663591Z "Caused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]",
...
2021-07-06T09:31:52.230850972Z "Caused by: org.elasticsearch.ElasticsearchException: failed to initialize SSL TrustManager",
solution 2:
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.verification_mode=certificate
- xpack.security.http.ssl.keystore.type=PKCS12
- xpack.security.http.ssl.truststore.type=PKCS12
- xpack.security.http.ssl.keystore.secure_password=$SECPAS
- xpack.security.http.ssl.truststore.secure_password=$SECPAS
- xpack.security.http.ssl.keystore.path=$CERTS_DIR/elk-dkb-test.p12
- xpack.security.http.ssl.truststore.path=$CERTS_DIR/elk-dkb-test.p12
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.keystore.type=PKCS12
- xpack.security.transport.ssl.truststore.type=PKCS12
- xpack.security.transport.ssl.keystore.secure_password=$SECPAS
- xpack.security.transport.ssl.truststore.secure_password=$SECPAS
- xpack.security.transport.ssl.keystore.path=$CERTS_DIR/elk-dkb-test.p12
- xpack.security.transport.ssl.truststore.path=$CERTS_DIR/elk-dkb-test.p12
2021-07-06T12:02:03.410147079Z {"type": "server", "timestamp": "2021-07-06T12:02:03,404Z", "level": "ERROR", "component": "o.e.b.ElasticsearchUncaughtExceptionHandler", "cluster.name": "es-docker-cluster", "node.name": "es01", "message": "uncaught exception in thread [main]",
2021-07-06T12:02:03.410179378Z "stacktrace": ["org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: Setting [xpack.security.http.ssl.truststore.secure_password] is a secure setting and must be stored inside the Elasticsearch keystore, but was found inside elasticsearch.yml",
...