Missing token enrollment

seblac · February 9, 2025, 11:59pm

Dear All,

I have installed the ELK stack in version 8.16.3 with docker running on a windows system and WSL 2. I am using the tool compose from docker to script the installation of a first elastic node. I used the script provided with elastic documentation. But when I try to connect to kibana, I can't fill the enrollement token because I don't see it in the logs displayed by docker desktop, and I don't succeed in regenerating the token with the command :

docker exec -it es01 /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

I have the following error message :

WARNING: Owner of file [/usr/share/elasticsearch/config/users] used to be [root], but now is [elasticsearch]
WARNING: Owner of file [/usr/share/elasticsearch/config/users_roles] used to be [root], but now is [elasticsearch]
14:24:54.472 [main] WARN  org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [172.18.0.4]; the server provided a certificate with subject name [CN=es01], fingerprint [8416c15e50ca3440cbc5018f7cd07a1365ffa60d], no keyUsage and no extendedKeyUsage; the certificate is valid between [2025-02-04T14:12:08Z] and [2028-02-04T14:12:08Z] (current time is [2025-02-04T14:24:54.464759401Z], certificate dates are valid); the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate has subject alternative names [DNS:es01,IP:127.0.0.1,DNS:localhost]; the certificate is issued by [CN=Elastic Certificate Tool Autogenerated CA] but the server did not provide a copy of the issuing certificate in the certificate chain; the issuing certificate with fingerprint [00becc52ea89c9e7bebb4473a0749eb81e53606d] is trusted in this ssl context ([xpack.security.http.ssl (with trust configuration: PEM-trust{/usr/share/elasticsearch/config/certs/ca/ca.crt})])
java.security.cert.CertificateException: No subject alternative names matching IP address 172.18.0.4 found
        at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:160) ~[?:?]
        at sun.security.util.HostnameChecker.match(HostnameChecker.java:101) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:457) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:431) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[?:?]
        at org.elasticsearch.common.ssl.DiagnosticTrustManager.checkServerTrusted(DiagnosticTrustManager.java:81) ~[?:?]
        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1310) ~[?:?]
        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1203) ~[?:?]
        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1146) ~[?:?]
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447) ~[?:?]
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:201) ~[?:?]
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1507) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1422) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) ~[?:?]
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:586) ~[?:?]
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187) ~[?:?]
        at org.elasticsearch.xpack.security.tool.BaseRunAsSuperuserCommand.execute(BaseRunAsSuperuserCommand.java:127) ~[?:?]
        at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:55) ~[elasticsearch-8.16.3.jar:8.16.3]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:95) ~[elasticsearch-cli-8.16.3.jar:8.16.3]
        at org.elasticsearch.cli.Command.main(Command.java:52) ~[elasticsearch-cli-8.16.3.jar:8.16.3]
        at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:65) ~[cli-launcher-8.16.3.jar:8.16.3]

ERROR: Failed to determine the health of the cluster. , with exit code 69

Any idea about the problem and how to fix it ?

Thanks

Sébastien.

TimV · February 10, 2025, 6:13am

It sounds like the default hostname of your node changed after security was configured for you.

It was originally listening on 127.0.0.1, but you changed it to listen on 172.18.0.4 is that correct?

seblac · February 10, 2025, 10:49am

hi Tim, thank you very much for your response. No I didn't changed the hostname, but after some tries, I finally moved forward, but I cant' say what was wrong with my previous configuration. Probably the parameter ELASTICSEARCH _SSL_CERTIFICATE AUTHORITIES.

Topic		Replies	Views
After elastic upgrade, cant cretae enrollment token Kibana docker	0	96	June 28, 2024
Persistent CertificateException error on running any of the elasticsearch tools in docker Elasticsearch docker	6	779	December 31, 2023
ELK security setup Elastic Security docker	8	85	January 14, 2025
Trying to deploy elk as a docker service with certificate Elasticsearch docker	1	670	January 24, 2022
Issue generating token after adding PV Elasticsearch docker	1	157	December 20, 2022

Missing token enrollment

Related topics