I am trying to create my own PKCS12 certificate files to use with elasticsearch, but when I do systemctl start elasticsearch
, I get this error:
2024-09-15T01:24:22,581][ERROR][o.e.b.Elasticsearch ] [node1] fatal exception while booting Elasticsearch
org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - the truststore [/etc/elasticsearch/certs/ca/root.p12] does not contain any trusted certificate entries
at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:620) ~[?:?]
at java.util.HashMap.forEach(HashMap.java:1429) ~[?:?]
at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1708) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.loadSslConfigurations(SSLService.java:616) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:160) ~[?:?]
at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:496) ~[?:?]
at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:325) ~[?:?]
at org.elasticsearch.node.NodeConstruction.lambda$construct$13(NodeConstruction.java:868) ~[elasticsearch-8.15.1.jar:?]
at org.elasticsearch.plugins.PluginsService.lambda$flatMap$1(PluginsService.java:253) ~[elasticsearch-8.15.1.jar:?]
at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:288) ~[?:?]
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:212) ~[?:?]
at java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:722) ~[?:?]
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:556) ~[?:?]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:546) ~[?:?]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:622) ~[?:?]
at java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:291) ~[?:?]
at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:631) ~[?:?]
at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:637) ~[?:?]
at java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:642) ~[?:?]
at org.elasticsearch.node.NodeConstruction.construct(NodeConstruction.java:868) ~[elasticsearch-8.15.1.jar:?]
at org.elasticsearch.node.NodeConstruction.prepareConstruction(NodeConstruction.java:270) ~[elasticsearch-8.15.1.jar:?]
at org.elasticsearch.node.Node.<init>(Node.java:192) ~[elasticsearch-8.15.1.jar:?]
at org.elasticsearch.bootstrap.Elasticsearch$2.<init>(Elasticsearch.java:242) ~[elasticsearch-8.15.1.jar:?]
at org.elasticsearch.bootstrap.Elasticsearch.initPhase3(Elasticsearch.java:242) ~[elasticsearch-8.15.1.jar:?]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:76) ~[elasticsearch-8.15.1.jar:?]
Caused by: org.elasticsearch.common.ssl.SslConfigException: the truststore [/etc/elasticsearch/certs/ca/root.p12] does not contain any trusted certificate entries
at org.elasticsearch.common.ssl.StoreTrustConfig.checkTrustStore(StoreTrustConfig.java:134) ~[?:?]
at org.elasticsearch.common.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:84) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:479) ~[?:?]
at java.util.HashMap.computeIfAbsent(HashMap.java:1228) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:618) ~[?:?]
... 24 more
I will show the steps I ran on Ubuntu 22.04.
Install Elasticsearch like this:
apt-get install -y gnupg gpg;
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg;
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list;
apt-get install -y apt-transport-https;
apt-get update;
apt-get install -y elasticsearch;
Then you can make the root.p12
and entity.p12
like this:
# make a directory for ca certs
mkdir /etc/elasticsearch/certs/ca;
cd /etc/elasticsearch/certs/ca;
# make root.key, root.crt and root.p12
openssl genrsa -out root.key 2048
openssl req -x509 -sha256 -nodes -key root.key \
-subj "/C=CA/ST=ON/O=ElasticDemo/CN=ca.example.com" -days 3650 -out root.crt
# enter a password when prompted
openssl pkcs12 -export -out root.p12 -inkey root.key -in root.crt
cd /etc/elasticsearch/certs/
# make entity.key, entity.crt, entity.p12 for each domain
fqdn="node1.example.com"
mkdir -p "$fqdn";
cd "$fqdn";
# create a template meta.cnf file
cat >meta.cnf <<EOL
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = ${fqdn}
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${fqdn}
EOL
openssl genrsa -out entity.key 2048
openssl req -new -sha256 -nodes -key entity.key -config meta.cnf -out entity.csr
openssl x509 -req -in entity.csr -CA ../ca/root.crt -CAkey ../ca/root.key \
-CAcreateserial -out entity.crt -days 500 -sha256 -extensions v3_req \
-extfile meta.cnf;
# enter a password when prompted
openssl pkcs12 -export -out entity.p12 -inkey entity.key -in entity.crt
chown -R elasticsearch:elasticsearch /etc/elasticsearch/certs
Running this command shows the certs look ok:
openssl pkcs12 -info -in /etc/elasticsearch/certs/ca/root.p12 -nokeys
I then made this for my /etc/elasticsearch/elasticsearch.yml
:
cluster.name: my-application
node.name: node1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: node1.example.com
http.port: 9200
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
keystore.path: certs/node1.example.com/entity.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/node1.example.com/entity.p12
truststore.path: certs/ca/root.p12
cluster.initial_master_nodes: ["node1"]
http.host: 0.0.0.0
I ran these commands to set the password for keystore and truststore:
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
I started elasticsearch with systemctl start elasticsearch
. This yielded and error and asked me to look in the /var/log/elasticsearch/my-application.log
file, which is what I pasted at the beginning of this question.
What did I do wrong?