Failed to load SSL configuration [xpack.security.transport.ssl] - the truststore [/usr/share/elasticsearch/ssl/qa.pfx] does not contain any trusted certificate entries

Anushree · September 15, 2023, 11:57am

Hello,
I encountered an SSL certificate trust issue when attempting to upgrade a single-node Elasticsearch instance from version 7.17 to 8.0, same certificate was working on 7.17. I am using a valid certificate chain provided by my organization, which includes the private key and is in the .pfx format. I have also included my docker-compose.yml and Dockerfile for reference. What steps should I take to resolve this SSL certificate trust issue?

**2023-09-06T11:06:18.896781000Z uncaught exception in thread [main]**
**2023-09-06T11:06:18.897057000Z org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - the truststore [/usr/share/elasticsearch/ssl/qa.pfx] does not contain any trusted certificate entries**
**2023-09-06T11:06:18.897315000Z Likely root cause: org.elasticsearch.common.ssl.SslConfigException: the truststore [/usr/share/elasticsearch/ssl/qa.pfx] does not contain any trusted certificate entries**
**2023-09-06T11:06:18.897573000Z at org.elasticsearch.common.ssl.StoreTrustConfig.checkTrustStore(StoreTrustConfig.java:135)**

Elasticsearch Dockerfile

FROM docker.elastic.co/elasticsearch/elasticsearch:8.0.1
RUN elasticsearch-plugin install repository-azure --batch && \
    elasticsearch-keystore create
RUN mkdir -p /usr/share/elasticsearch/ssl
COPY ["CERT_PATH",  "/usr/share/elasticsearch/ssl/"]
RUN echo "DEFAULT_STORAGE_ACCOUNT_NAME" | elasticsearch-keystore add azure.client.default.account -xf && \
    echo "DEFAULT_STORAGE_ACCOUNT_KEY" | elasticsearch-keystore add azure.client.default.key
RUN echo "SECONDARY_STORAGE_ACCOUNT_NAME" | elasticsearch-keystore add azure.client.secondary.account -xf && \
    echo "SECONDARY_STORAGE_ACCOUNT_KEY" | elasticsearch-keystore add azure.client.secondary.key -xf 
RUN echo "ADMIN_PASSWORD" | elasticsearch-keystore add bootstrap.password -xf && \
    echo "CERT_PASS" | elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password -xf && \
    echo "CERT_PASS" | elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password -xf && \
    echo "ES_TRANSPORT_SSL_PASSWORD" | elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password -xf && \
    echo "ES_TRANSPORT_SSL_PASSWORD" | elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password -xf 
USER root
RUN apt-get update  && apt-get install openssl wget -y
RUN echo "CERT_PASS" | openssl pkcs12 -in /usr/share/elasticsearch/ssl/qa.pfx -out /usr/share/elasticsearch/ssl/elasticsearch-http-ca.crt -cacerts -nokeys -chain -passin stdin
RUN echo "CERT_PASS" | openssl pkcs12 -in /usr/share/elasticsearch/ssl/qa.pfx -nocerts -out /usr/share/elasticsearch/ssl/kb-key.pem -nodes -passin stdin
RUN echo "CERT_PASS" | openssl pkcs12 -in /usr/share/elasticsearch/ssl/qa.pfx -out /usr/share/elasticsearch/ssl/kb-cert.pem -chain -passin stdin -passout pass:"PEM_PASS"
RUN chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/ssl/elasticsearch-http-ca.crt && \
chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/ssl/kb-key.pem && \
chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/ssl/kb-cert.pem 
RUN apt-get update && apt-get install wget
RUN if [ -z "MICROSCANNER_TOKEN" ]; then echo "MICROSCANNER_TOKEN not set using --build-arg MICROSCANNER_TOKEN=<token>"; exit 1; else : ; fi && \
    wget -O /microscanner https://get.aquasec.com/microscanner && \
    chmod +x /microscanner && \
    [ "MICROSCANNER_SHA  /microscanner" = "$(sha256sum /microscanner)" ] && \
    /microscanner --continue-on-failure MICROSCANNER_TOKEN && \
    rm -rf /microscanner
USER elasticsearch

Docker-compose.yml

version: '2'
services:
  es-0:
    image: ACR_ElasticSearch_Image_Path
    container_name: elasticsearch-0
    restart: always
    network_mode: host
    environment:
      - cluster.name=es-0
      - node.name=es-0
      - path.logs=/var/log
      - path.data=/usr/share/elasticsearch/data
      - discovery.seed_hosts=127.0.0.1
      - cluster.initial_master_nodes=es-0
      - network.host=_site_,_local_
      - node.roles=master,data
      - ELASTIC_PASSWORD="ELASTIC_PASSWORD"
      - node.attr.fault_domain=0
      - node.attr.update_domain=0
      - cluster.routing.allocation.awareness.attributes=fault_domain,update_domain
      - cluster.routing.allocation.disk.watermark.enable_for_single_data_node=true
      - azure.client.default.endpoint_suffix=core.windows.net
      - xpack.security.enabled=true
      - path.repo=/usr/share/
      - bootstrap.memory_lock=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.keystore.path=/usr/share/elasticsearch/ssl/qa.pfx
      - xpack.security.http.ssl.truststore.path=/usr/share/elasticsearch/ssl/qa.pfx
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.truststore.type=PKCS12
      - xpack.security.transport.ssl.keystore.type=PKCS12
      - xpack.security.transport.ssl.keystore.path=/usr/share/elasticsearch/ssl/qa.pfx
      - xpack.security.transport.ssl.truststore.path=/usr/share/elasticsearch/ssl/qa.pfx
      - "ES_JAVA_OPTS=-Xms15000m -Xmx15000m"
      - indices.requests.cache.size=10%
    volumes:
      - data01:/usr/share/elasticsearch/data
    ulimits:
      memlock:
        soft: -1
        hard: -1
    ports:
      - 9200:9200
      - 9300:9300
volumes:
  data01:
    driver: local

TimV · September 15, 2023, 12:40pm

Your pfx file is a keystore, not a truststore.
7.x would try to work around that configuration error, but it would sometimes cause difficult to diagnose issues, so 8.x no longer does that.

In order to be a valid truststore, a PKCS#12 file must contain explicit trusted certificate entries, your file does not.

My recommendation to resolve your issue is to get a copy of the organisation CA in PEM format and configure it as the xpack.security.transport.ssl.certificate_authorities

However, we always recommend using a dedicated CA to secure the transport port rather than your organisation CA.

Anushree · September 20, 2023, 12:10pm

Thank you @TimV , issue got resolved configuring CA in PEM format

system · October 18, 2023, 12:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.