New install - error setting certificate verify locations

Following the instructions here: Install Elasticsearch with Debian Package | Elasticsearch Guide [8.2] | Elastic

Installing from apt on Ubuntu server 20.04

wget -qO - | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
sudo apt-get install apt-transport-https
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
sudo apt-get update
sudo apt-get install elasticsearch

I get a normal looking output for "Security autoconfiguration information" including a password for the elastic user. I have not changed any files from their default.

sudo systemctl start elasticsearch.service

Starts without errors, no errors in the log that I can find, so I believe Elasticsearch started cleanly but when I run:

curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200

Result is an error:

Enter host password for user 'elastic':
curl: (77) error setting certificate verify locations:
  CAfile: /etc/elasticsearch/certs/http_ca.crt
  CApath: /etc/ssl/certs

If I run the same command with the -k flag

curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200 -k

results in the below so I'm wondering what I missed, or where to go from here since I haven't done anything different from the stated instructions?

  "name" : "elk",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "Oby40z63Sn6G9RS_V9zuvg",
  "version" : {
    "number" : "8.2.3",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "9905bfb62a3f0b044948376b4f607f70a8a151b4",
    "build_date" : "2022-06-08T22:21:36.455508792Z",
    "build_snapshot" : false,
    "lucene_version" : "9.1.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  "tagline" : "You Know, for Search"

Hello @BRosenberg

Welcome to Elastic Community :slight_smile: !!!

Could you execute the below command and let us know the result. I hope this might fix your issue.

echo 'cacert=/etc/ssl/certs/http_ca.crt' > ~/.curlrc

Hi, and thanks for the welcome.

I ran the command you suggested and then tried the curl command again, but still got the same result:

:~$ curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200
Enter host password for user 'elastic':
curl: (77) error setting certificate verify locations:
  CAfile: /etc/elasticsearch/certs/http_ca.crt
  CApath: /etc/ssl/certs

I reproduced the issue on Ubuntu 22.04. Can you check this? It looks like a permission issue on my system, so I am wondering if you have the same issue.

$ ls -l /etc/elasticsearch/certs/http_ca.crt
ls: cannot access '/etc/elasticsearch/certs/http_ca.crt': Permission denied

On my Ubuntu system, /etc/Elasticsearch was created without global read/execute permission.

$ ls -l /etc | grep elasticsearch
drwxr-s---  4 root elasticsearch  4096 Jun 17 09:21 elasticsearch

$ ls -l /var/log | grep elasticsearch
drwxr-s---  2 elasticsearch     elasticsearch       4096 Jun 17 09:29 elasticsearch

A quick workaround could be:

chmod a+rx /etc/elasticsearch/ /etc/elasticsearch/certs
chmod a+r /etc/elasticsearch/certs/http_ca.crt

Be careful to not give global read permissions to sensitive files in those directories, such as elasticsearch.keystore.

1 Like

Another option could be to add /etc/elasticsearch/certs/http_ca.crt to the default location used by curl.

sudo apt install curl-config
sudo curl-config --configure
sudo cp /etc/elasticsearch/certs/http_ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

This appears to have worked for me. curl is returning the expected results now.

Looking at the permissions on my Ubuntu 20.04 install, I was getting the same as you. Appears no permissions were set for 'others'. Not sure if that's an Ubuntu-specific thing or if that's just not considered in the .deb install.


I am happy to hear it is working for you now.

I have a note to follow up on the .deb install permissions.

Thank you.

Hello. I opened a bug report in GitHub to track this problem. You can track progress there. Thank you!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.