Java security error after upgrading to 7.0

perezjasonr · May 29, 2019, 12:02pm

Hello,

I upgraded from 6.6 to latest 7.x everything was working fine before this but now I get a java security error:

Blockquote
ion: /etc/elasticsearch/certs/elastic-stack-ca.p12 May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 elasticsearch[1248]: May 29 11:39:09 598717Ubuntu1 systemd[1]: May 29 11:39:09 598717Ubuntu1 systemd[1]:
Likely root cause: java.nio.file.AccessDeniedException: /etc/elasticsearch/certs/elastic-stack-ca.p12
at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116)
at java.base/sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:55)
at java.base/sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:149)
at java.base/sun.nio.fs.LinuxFileSystemProvider.readAttributes(LinuxFileSystemProvider.java:99)
at java.base/java.nio.file.Files.readAttributes(Files.java:1840)
at java.base/java.nio.file.FileTreeWalker.getAttributes(FileTreeWalker.java:225)
at java.base/java.nio.file.FileTreeWalker.visit(FileTreeWalker.java:276)
at java.base/java.nio.file.FileTreeWalker.next(FileTreeWalker.java:373)
at java.base/java.nio.file.Files.walkFileTree(Files.java:2837)
at org.elasticsearch.common.logging.LogConfigurator.configure(LogConfigurator.java:218)
at org.elasticsearch.common.logging.LogConfigurator.configure(LogConfigurator.java:127)
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:294)
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159)
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150)
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.Command.main(Command.java:90)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92)
Refer to the log for complete error details.
elasticsearch.service: Main process exited, code=exited, status=1/FAILURE
elasticsearch.service: Failed with result 'exit-code'.

Ive researched this of course and I've tried going into the java policy file, both the one under the elasticsearch directory in:

/usr/share/elasticsearch/jdk/conf/security/java.policy

and

/etc/java-11-openjdk/security/java.policy

and giving it permissions to that file with:

permission java.util.PropertyPermission "/etc/elasticsearch/certs/*", "read";

under the grant directive.

that certs dir and the files in it are now owned by user/group elasticsearch

drw-rwS--- 2 elasticsearch elasticsearch 4096 May 28 17:48 certs

and

sudo ls -la /etc/elasticsearch/certs
total 16
drw-rwS--- 2 elasticsearch elasticsearch 4096 May 28 17:48 .
drwxr-s--- 3 elasticsearch elasticsearch 4096 May 28 18:28 ..
-rw-rw-r-- 1 elasticsearch elasticsearch 3539 May 22 15:40 elastic-certificates.p12
-rw-rw-r-- 1 elasticsearch elasticsearch 2519 May 14 16:43 elastic-stack-ca.p12

I don't know what else to do and I'm out of ideas and I don't see other things to try from research, does anyone know what I haven't done yet? Thank you.

rjernst · May 31, 2019, 6:17am

It looks like your certs dir lacks execute permission for user. Directories need execute in order to read files inside the directory. Note that AccessDeniedException is thrown by the filesystem, not the security manager, so the policy file change would not have any effect (and permission for /etc/elasticsearch already exists within the policy file Elasticsearch loads on startup).

perezjasonr · May 31, 2019, 2:31pm

Thank you for your response, I was able to resolve this by moving the files out of the certs dir.
I didnt think permissions would be necessary for user, I assumed it would only be necessary for root, elasticsearch so I thought it would be fine with those settings.

system · June 28, 2019, 2:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.