How to show the password of the elastic built-in superuser elastic?

how to show the password of the elastic built-in superuser elastic? the pass was given when you installed elasticsearch

@Firas_Bougrine

If You did not record the password when you're first installed, there is no way to show it again.

You Need to run that reset command as instructed that's in your image.

1 Like

thanks @stephenb for you response
@stephenb i have other question what is it mean the enrollment token is valid for 30 minutes for kibana i know this enrollement token is automatically applies the security settings but i don't i want to know what is it mean by valid for 30 min and what's the good solution between configuring the security automatically or manually ??and thanks

Means you need to finish enrolling kibana with that token within 30 mins of that token getting generated... the enrollment token expires... but once you enroll Kibana the setup / settings that are configured are permanent.

If you are new to elastic I would stick with the automatic setup ... manually you will need to understand all the settings and generate your own certificates etc.. etc..

okay @stephenb thanks , for exemple when i did the automatic configuration and kibana automaticuly configured with the ip in the capture it below and after a while I decided to change the ip of elasticsearch when i try it told me that "kibana is not ready yet " it's normal because i changed the ip and it's not the same of kibana config token what i will do it this case i delete this lines from the kibana.yml and restart it again or i will delete and install elastic and kibana again with new token of the new ip ????


First screenshots of text are not good, they can not be searched, or analyszed for debug etc... and some people can not see them... formatted text is much better.

Not sure what you mean by "you decided to changed the IP of elasticsearch" did you completely re-install? if not the certificates will probably not be valid an probably will not work... unless you started completey over

With respect to kibana I think you can clean out all the generated stuff in the kibana.yml then restart kibana you will need to make sure the elasticsearch host in the kibana.yml file is pointed at the correct elasticsearch IP.

Then regenerate and enrollment token from elasticsearch

Then regenerate a kibana verification code

Or just start ALL over with all your new settings IP addresses etc... etc... changing things without understanding the impact is going to cause issues..

``Not sure what you mean by "you decided to changed the IP of elasticsearch"`
i mean that i changed the network.host of elasticsearch with a new IP and the configuration of security (connect kibana to elastic with the token ) was saved with the last IP , i mean by my question what i will do to generate a new token to connect kibana to elastic with the new IP of elastic?
this the problem when i try to do a new token :

elkfiras@elkfiras:/usr/share/elasticsearch/bin$ sudo ./elasticsearch-create-enrollment-token -s kibana
[sudo] password for elkfiras:
12:57:33.755 [main] WARN  org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [192.168.37.2]; the server provided a certificate with subject name [CN=elkfiras], fingerprint [d97cb7ed2fc40a1a5534399b11121c233879c76f], no keyUsage and extendedKeyUsage [serverAuth]; the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate has subject alternative names [DNS:localhost,IP:192.168.1.17,DNS:elkfiras,IP:0:0:0:0:0:0:0:1,IP:127.0.0.1,IP:fe80:0:0:0:20c:29ff:fe65:82ff]; the certificate is issued by [CN=Elasticsearch security auto-configuration HTTP CA]; the certificate is signed by (subject [CN=Elasticsearch security auto-configuration HTTP CA] fingerprint [e9548ce60b383fa3491a7bdd69771e437ba0a4de] {trusted issuer}) which is self-issued; the [CN=Elasticsearch security auto-configuration HTTP CA] certificate is trusted in this ssl context ([xpack.security.http.ssl (with trust configuration: Composite-Trust{JDK-trusted-certs,StoreTrustConfig{path=certs/http.p12, password=<non-empty>, type=PKCS12, algorithm=PKIX}})])
java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.37.2 found
        at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:165) ~[?:?]
        at sun.security.util.HostnameChecker.match(HostnameChecker.java:101) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:452) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:426) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:238) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[?:?]
        at org.elasticsearch.common.ssl.DiagnosticTrustManager.checkServerTrusted(DiagnosticTrustManager.java:82) ~[?:?]
        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335) ~[?:?]
        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1226) ~[?:?]
        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1169) ~[?:?]
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) ~[?:?]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458) ~[?:?]
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:201) ~[?:?]
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1500) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1415) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:421) ~[?:?]
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:578) ~[?:?]
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:183) ~[?:?]
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:142) ~[?:?]
        at org.elasticsearch.xpack.core.common.socket.SocketAccess.lambda$doPrivileged$0(SocketAccess.java:42) ~[?:?]
        at java.security.AccessController.doPrivileged(AccessController.java:569) [?:?]
        at org.elasticsearch.xpack.core.common.socket.SocketAccess.doPrivileged(SocketAccess.java:41) [x-pack-core-8.3.1.jar:8.3.1]
        at org.elasticsearch.xpack.core.security.CommandLineHttpClient.execute(CommandLineHttpClient.java:178) [x-pack-core-8.3.1.jar:8.3.1]
        at org.elasticsearch.xpack.core.security.CommandLineHttpClient.execute(CommandLineHttpClient.java:112) [x-pack-core-8.3.1.jar:8.3.1]
        at org.elasticsearch.xpack.security.tool.BaseRunAsSuperuserCommand.checkClusterHealthWithRetries(BaseRunAsSuperuserCommand.java:214) [x-pack-security-8.3.1.jar:8.3.1]
        at org.elasticsearch.xpack.security.tool.BaseRunAsSuperuserCommand.execute(BaseRunAsSuperuserCommand.java:127) [x-pack-security-8.3.1.jar:8.3.1]
        at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:54) [elasticsearch-8.3.1.jar:8.3.1]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85) [elasticsearch-cli-8.3.1.jar:8.3.1]
        at org.elasticsearch.cli.Command.main(Command.java:50) [elasticsearch-cli-8.3.1.jar:8.3.1]
        at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:64) [cli-launcher-8.3.1.jar:8.3.1]

ERROR: Failed to determine the health of the cluster.