Hello,
I encountered an SSL certificate trust issue when attempting to upgrade a single-node Elasticsearch instance from version 7.17 to 8.0, same certificate was working on 7.17. I am using a valid certificate chain provided by my organization, which includes the private key and is in the .pfx format. I have also included my docker-compose.yml and Dockerfile for reference. What steps should I take to resolve this SSL certificate trust issue?
**2023-09-06T11:06:18.896781000Z uncaught exception in thread [main]**
**2023-09-06T11:06:18.897057000Z org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - the truststore [/usr/share/elasticsearch/ssl/qa.pfx] does not contain any trusted certificate entries**
**2023-09-06T11:06:18.897315000Z Likely root cause: org.elasticsearch.common.ssl.SslConfigException: the truststore [/usr/share/elasticsearch/ssl/qa.pfx] does not contain any trusted certificate entries**
**2023-09-06T11:06:18.897573000Z at org.elasticsearch.common.ssl.StoreTrustConfig.checkTrustStore(StoreTrustConfig.java:135)**
Elasticsearch Dockerfile
FROM docker.elastic.co/elasticsearch/elasticsearch:8.0.1
RUN elasticsearch-plugin install repository-azure --batch && \
elasticsearch-keystore create
RUN mkdir -p /usr/share/elasticsearch/ssl
COPY ["CERT_PATH", "/usr/share/elasticsearch/ssl/"]
RUN echo "DEFAULT_STORAGE_ACCOUNT_NAME" | elasticsearch-keystore add azure.client.default.account -xf && \
echo "DEFAULT_STORAGE_ACCOUNT_KEY" | elasticsearch-keystore add azure.client.default.key
RUN echo "SECONDARY_STORAGE_ACCOUNT_NAME" | elasticsearch-keystore add azure.client.secondary.account -xf && \
echo "SECONDARY_STORAGE_ACCOUNT_KEY" | elasticsearch-keystore add azure.client.secondary.key -xf
RUN echo "ADMIN_PASSWORD" | elasticsearch-keystore add bootstrap.password -xf && \
echo "CERT_PASS" | elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password -xf && \
echo "CERT_PASS" | elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password -xf && \
echo "ES_TRANSPORT_SSL_PASSWORD" | elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password -xf && \
echo "ES_TRANSPORT_SSL_PASSWORD" | elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password -xf
USER root
RUN apt-get update && apt-get install openssl wget -y
RUN echo "CERT_PASS" | openssl pkcs12 -in /usr/share/elasticsearch/ssl/qa.pfx -out /usr/share/elasticsearch/ssl/elasticsearch-http-ca.crt -cacerts -nokeys -chain -passin stdin
RUN echo "CERT_PASS" | openssl pkcs12 -in /usr/share/elasticsearch/ssl/qa.pfx -nocerts -out /usr/share/elasticsearch/ssl/kb-key.pem -nodes -passin stdin
RUN echo "CERT_PASS" | openssl pkcs12 -in /usr/share/elasticsearch/ssl/qa.pfx -out /usr/share/elasticsearch/ssl/kb-cert.pem -chain -passin stdin -passout pass:"PEM_PASS"
RUN chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/ssl/elasticsearch-http-ca.crt && \
chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/ssl/kb-key.pem && \
chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/ssl/kb-cert.pem
RUN apt-get update && apt-get install wget
RUN if [ -z "MICROSCANNER_TOKEN" ]; then echo "MICROSCANNER_TOKEN not set using --build-arg MICROSCANNER_TOKEN=<token>"; exit 1; else : ; fi && \
wget -O /microscanner https://get.aquasec.com/microscanner && \
chmod +x /microscanner && \
[ "MICROSCANNER_SHA /microscanner" = "$(sha256sum /microscanner)" ] && \
/microscanner --continue-on-failure MICROSCANNER_TOKEN && \
rm -rf /microscanner
USER elasticsearch
Docker-compose.yml
version: '2'
services:
es-0:
image: ACR_ElasticSearch_Image_Path
container_name: elasticsearch-0
restart: always
network_mode: host
environment:
- cluster.name=es-0
- node.name=es-0
- path.logs=/var/log
- path.data=/usr/share/elasticsearch/data
- discovery.seed_hosts=127.0.0.1
- cluster.initial_master_nodes=es-0
- network.host=_site_,_local_
- node.roles=master,data
- ELASTIC_PASSWORD="ELASTIC_PASSWORD"
- node.attr.fault_domain=0
- node.attr.update_domain=0
- cluster.routing.allocation.awareness.attributes=fault_domain,update_domain
- cluster.routing.allocation.disk.watermark.enable_for_single_data_node=true
- azure.client.default.endpoint_suffix=core.windows.net
- xpack.security.enabled=true
- path.repo=/usr/share/
- bootstrap.memory_lock=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.keystore.path=/usr/share/elasticsearch/ssl/qa.pfx
- xpack.security.http.ssl.truststore.path=/usr/share/elasticsearch/ssl/qa.pfx
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.truststore.type=PKCS12
- xpack.security.transport.ssl.keystore.type=PKCS12
- xpack.security.transport.ssl.keystore.path=/usr/share/elasticsearch/ssl/qa.pfx
- xpack.security.transport.ssl.truststore.path=/usr/share/elasticsearch/ssl/qa.pfx
- "ES_JAVA_OPTS=-Xms15000m -Xmx15000m"
- indices.requests.cache.size=10%
volumes:
- data01:/usr/share/elasticsearch/data
ulimits:
memlock:
soft: -1
hard: -1
ports:
- 9200:9200
- 9300:9300
volumes:
data01:
driver: local