Failed to load SSL configuration

mohanss08 · February 4, 2023, 9:22am

Hello Team,

I had elasticsearch:7.16.2 version with xpack security based login enabled, So today i had changed elasticsearch and kibna versions to 8.6.1 in my docker-compose file, but it fails with below errors when i start the elasticsearch container.

elasticsearch    | {"@timestamp":"2023-02-04T07:59:23.518Z", "log.level":"ERROR", "message":"fatal exception while booting Elasticsearch", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"main","log.logger":"org.elasticsearch.bootstrap.Elasticsearch","elasticsearch.node.name":"elasticsearch","elasticsearch.cluster.name":"docker-cluster","error.type":"org.elasticsearch.ElasticsearchSecurityException","error.message":"failed to load SSL configuration [xpack.security.transport.ssl] - the truststore [/usr/share/elasticsearch/config/elastic-stack-ca.p12] does not contain any trusted certificate entries","error.stack_trace":"org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - the truststore [/usr/share/elasticsearch/config/elastic-stack-ca.p12] does not contain any trusted certificate entries\n\tat org.elasticsearch.xcore@8.6.1/org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:605)\n\tat java.base/java.util.HashMap.forEach(HashMap.java:1429)\n\tat java.base/java.util.Collections$UnmodifiableMap.forEach(Collections.java:1553)\n\tat org.elasticsearch.xcore@8.6.1/org.elasticsearch.xpack.core.ssl.SSLService.loadSslConfigurations(SSLService.java:601)\n\tat org.elasticsearch.xcore@8.6.1/org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:156)\n\tat org.elasticsearch.xcore@8.6.1/org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:465)\n\tat org.elasticsearch.xcore@8.6.1/org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:314)\n\tat org.elasticsearch.server@8.6.1/org.elasticsearch.node.Node.lambda$new$16(Node.java:721)\n\tat org.elasticsearch.server@8.6.1/org.elasticsearch.plugins.PluginsService.lambda$flatMap$0(PluginsService.java:252)\n\tat java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273)\n\tat java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)\n\tat java.base/java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:722)\n\tat java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)\n\tat java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)\n\tat java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:575)\n\tat java.base/java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:260)\n\tat java.base/java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:616)\n\tat java.base/java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:622)\n\tat java.base/java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:627)\n\tat org.elasticsearch.server@8.6.1/org.elasticsearch.node.Node.<init>(Node.java:736)\n\tat org.elasticsearch.server@8.6.1/org.elasticsearch.node.Node.<init>(Node.java:322)\n\tat org.elasticsearch.server@8.6.1/org.elasticsearch.bootstrap.Elasticsearch$2.<init>(Elasticsearch.java:214)\n\tat org.elasticsearch.server@8.6.1/org.elasticsearch.bootstrap.Elasticsearch.initPhase3(Elasticsearch.java:214)\n\tat org.elasticsearch.server@8.6.1/org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:67)\nCaused by: org.elasticsearch.common.ssl.SslConfigException: the truststore [/usr/share/elasticsearch/config/elastic-stack-ca.p12] does not contain any trusted certificate entries\n\tat org.elasticsearch.sslconfig@8.6.1/org.elasticsearch.common.ssl.StoreTrustConfig.checkTrustStore(StoreTrustConfig.java:134)\n\tat org.elasticsearch.sslconfig@8.6.1/org.elasticsearch.common.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:84)\n\tat org.elasticsearch.xcore@8.6.1/org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:473)\n\tat java.base/java.util.HashMap.computeIfAbsent(HashMap.java:1228)\n\tat org.elasticsearch.xcore@8.6.1/org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:603)\n\t... 23 more\n"}
elasticsearch    | ERROR: Elasticsearch did not exit normally - check the logs at /usr/share/elasticsearch/logs/docker-cluster.log
elasticsearch    |
elasticsearch    | ERROR: Elasticsearch exited unexpectedly

My docker-compose file as follows.

version: '3'

services:

  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.6.1
    container_name: elasticsearch
    environment:
      - node.name=elasticsearch
      - discovery.seed_hosts=elasticsearch
      - cluster.initial_master_nodes=elasticsearch
      - cluster.name=docker-cluster
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - xpack.security.enabled=true
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.keystore.type=PKCS12
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.keystore.path=elastic-stack-ca.p12
      - xpack.security.transport.ssl.truststore.path=elastic-stack-ca.p12
      - xpack.security.transport.ssl.truststore.type=PKCS12
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./elastic-stack-ca.p12:/usr/share/elasticsearch/config/elastic-stack-ca.p12
      - esdata1:/usr/share/elasticsearch/data
    ports:
      - 9200:9200

  kibana:
    image: docker.elastic.co/kibana/kibana:8.6.1
    container_name: kibana
    environment:
      ELASTICSEARCH_URL: "http://elasticsearch:9200"
      ELASTICSEARCH_USERNAME: "password"
      ELASTICSEARCH_PASSWORD: "password"
    ports:
      - 5601:5601
    depends_on:
      - elasticsearch

volumes:
  esdata1:
    driver: local

I had been using xpack.security for a longer time with 7.x versions, until today i had no issues. After moving to 8.6.1 the problem started occurring. Also as per the error, i have elastic-stack-ca.p12 file in the volume section and that copies to /usr/share/elasticsearch/config/ path, But not sure why still it fails?

Any change in 8.x version? Any advise to solve this problem would be helpful.

mohanss08 · February 4, 2023, 9:59am

The following link workaround helped me solve the issue.

system · March 4, 2023, 10:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Failed to load SSL configuration [xpack.security.transport.ssl] - the truststore [/usr/share/elasticsearch/ssl/qa.pfx] does not contain any trusted certificate entries Elasticsearch elastic-stack-security , docker	3	1153	October 18, 2023
Failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured [PKCS12] Elasticsearch elastic-stack-security , docker	4	370	March 19, 2024
Failed to load SSL configuration [xpack.security.transport.ssl] - the truststore [/etc/elasticsearch/certs/root.p12] does not contain any trusted certificate entries Elasticsearch	3	71	September 19, 2024
ElasticSearch Linux startup failed. Procedure Elasticsearch elastic-stack-security	11	6119	April 17, 2022
Fail to load SSL configuration while using docker image Elasticsearch elastic-stack-security , docker	8	3834	May 28, 2020

Failed to load SSL configuration

Related topics