New install - error setting certificate verify locations

BRosenberg · June 16, 2022, 10:43pm

Following the instructions here: Install Elasticsearch with Debian Package | Elasticsearch Guide [8.2] | Elastic

Installing from apt on Ubuntu server 20.04

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
sudo apt-get install apt-transport-https
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
sudo apt-get update
sudo apt-get install elasticsearch

I get a normal looking output for "Security autoconfiguration information" including a password for the elastic user. I have not changed any files from their default.

sudo systemctl start elasticsearch.service

Starts without errors, no errors in the log that I can find, so I believe Elasticsearch started cleanly but when I run:

curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200

Result is an error:

Enter host password for user 'elastic':
curl: (77) error setting certificate verify locations:
  CAfile: /etc/elasticsearch/certs/http_ca.crt
  CApath: /etc/ssl/certs

If I run the same command with the -k flag

curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200 -k

results in the below so I'm wondering what I missed, or where to go from here since I haven't done anything different from the stated instructions?

{
  "name" : "elk",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "Oby40z63Sn6G9RS_V9zuvg",
  "version" : {
    "number" : "8.2.3",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "9905bfb62a3f0b044948376b4f607f70a8a151b4",
    "build_date" : "2022-06-08T22:21:36.455508792Z",
    "build_snapshot" : false,
    "lucene_version" : "9.1.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"

sudhagar_ramesh · June 17, 2022, 1:53am

Hello @BRosenberg

Welcome to Elastic Community !!!

Could you execute the below command and let us know the result. I hope this might fix your issue.

echo 'cacert=/etc/ssl/certs/http_ca.crt' > ~/.curlrc

BRosenberg · June 17, 2022, 3:41am

Hi, and thanks for the welcome.

I ran the command you suggested and then tried the curl command again, but still got the same result:

:~$ curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200
Enter host password for user 'elastic':
curl: (77) error setting certificate verify locations:
  CAfile: /etc/elasticsearch/certs/http_ca.crt
  CApath: /etc/ssl/certs

Justin_Cranford · June 17, 2022, 1:38pm

I reproduced the issue on Ubuntu 22.04. Can you check this? It looks like a permission issue on my system, so I am wondering if you have the same issue.

$ ls -l /etc/elasticsearch/certs/http_ca.crt
ls: cannot access '/etc/elasticsearch/certs/http_ca.crt': Permission denied

On my Ubuntu system, /etc/Elasticsearch was created without global read/execute permission.

$ ls -l /etc | grep elasticsearch
drwxr-s---  4 root elasticsearch  4096 Jun 17 09:21 elasticsearch

$ ls -l /var/log | grep elasticsearch
drwxr-s---  2 elasticsearch     elasticsearch       4096 Jun 17 09:29 elasticsearch

Justin_Cranford · June 17, 2022, 2:14pm

A quick workaround could be:

chmod a+rx /etc/elasticsearch/ /etc/elasticsearch/certs
chmod a+r /etc/elasticsearch/certs/http_ca.crt

Be careful to not give global read permissions to sensitive files in those directories, such as elasticsearch.keystore.

Justin_Cranford · June 17, 2022, 2:28pm

Another option could be to add /etc/elasticsearch/certs/http_ca.crt to the default location used by curl.

sudo apt install curl-config
sudo curl-config --configure
sudo cp /etc/elasticsearch/certs/http_ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

BRosenberg · June 17, 2022, 3:11pm

Justin_Cranford:

A quick workaround could be:
chmod a+rx /etc/elasticsearch/ /etc/elasticsearch/certs
chmod a+r /etc/elasticsearch/certs/http_ca.crt
Be careful to not give global read permissions to sensitive files in those directories, such as elasticsearch.keystore.

This appears to have worked for me. curl is returning the expected results now.

Looking at the permissions on my Ubuntu 20.04 install, I was getting the same as you. Appears no permissions were set for 'others'. Not sure if that's an Ubuntu-specific thing or if that's just not considered in the .deb install.

Justin_Cranford · June 17, 2022, 6:18pm

I am happy to hear it is working for you now.

I have a note to follow up on the .deb install permissions.

Thank you.

Justin_Cranford · June 20, 2022, 8:05pm

Hello. I opened a bug report in GitHub to track this problem. You can track progress there. Thank you!

github.com/elastic/elasticsearch

Permission denied for `/etc/elasticsearch/certs/http_ca.crt` after install on Debian

opened 08:00PM - 20 Jun 22 UTC

justincr-elastic

>bug :Delivery/Packaging :Security/TLS Team:Security Team:Delivery

### Elasticsearch Version 8.2.2 ### Installed Plugins _No response_ …### Java Version _bundled_ ### OS Version Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS (Linux ncc-1701-d 5.15.0-39-generic #42-Ubuntu SMP Thu Jun 9 23:42:32 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux) ### Problem Description I reproduced a `Security on by default` issue in [Discuss](https://discuss.elastic.co/t/new-install-error-setting-certificate-verify-locations/307455) related to Ubuntu/Debian install. - https://discuss.elastic.co/t/new-install-error-setting-certificate-verify-locations/307455 HTTPS certs (CA and server) are generated at install time. However, they are placed in a directory with no global read permission. Non-privileged users cannot access the HTTPS CA cert for use in HTTPS clients (ex: curl). This seems like an install issue for how permissions are setup during install. ### Steps to Reproduce Install and Run Elasticsearch (as per [the Discuss problem description](https://discuss.elastic.co/t/new-install-error-setting-certificate-verify-locations/307455)) ``` wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg sudo apt-get install apt-transport-https echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list sudo apt-get update sudo apt-get install elasticsearch sudo systemctl start elasticsearch.service ``` Reproduce the permissions issue with `curl` ``` $ curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200/ curl: (77) error setting certificate file: /etc/elasticsearch/certs/http_ca.crt ``` Demonstrate the permissions issue with `ls` ``` $ ls -l /etc/elasticsearch/certs/http_ca.crt ls: cannot access '/etc/elasticsearch/certs/http_ca.crt': Permission denied $ ls -l /etc | grep elasticsearch drwxr-s--- 4 root elasticsearch 4096 Jun 17 09:21 elasticsearch $ ls -l /var/log | grep elasticsearch drwxr-s--- 2 elasticsearch elasticsearch 4096 Jun 17 09:29 elasticsearch ``` ### Logs (if relevant) n/a

system · July 18, 2022, 8:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.