New install - error setting certificate verify locations

Following the instructions here: Install Elasticsearch with Debian Package | Elasticsearch Guide [8.2] | Elastic

Installing from apt on Ubuntu server 20.04

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
sudo apt-get install apt-transport-https
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
sudo apt-get update
sudo apt-get install elasticsearch

I get a normal looking output for "Security autoconfiguration information" including a password for the elastic user. I have not changed any files from their default.

sudo systemctl start elasticsearch.service

Starts without errors, no errors in the log that I can find, so I believe Elasticsearch started cleanly but when I run:

curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200

Result is an error:

Enter host password for user 'elastic':
curl: (77) error setting certificate verify locations:
  CAfile: /etc/elasticsearch/certs/http_ca.crt
  CApath: /etc/ssl/certs

If I run the same command with the -k flag

curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200 -k

results in the below so I'm wondering what I missed, or where to go from here since I haven't done anything different from the stated instructions?

{
  "name" : "elk",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "Oby40z63Sn6G9RS_V9zuvg",
  "version" : {
    "number" : "8.2.3",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "9905bfb62a3f0b044948376b4f607f70a8a151b4",
    "build_date" : "2022-06-08T22:21:36.455508792Z",
    "build_snapshot" : false,
    "lucene_version" : "9.1.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"

Hello @BRosenberg

Welcome to Elastic Community :slight_smile: !!!

Could you execute the below command and let us know the result. I hope this might fix your issue.

echo 'cacert=/etc/ssl/certs/http_ca.crt' > ~/.curlrc

Hi, and thanks for the welcome.

I ran the command you suggested and then tried the curl command again, but still got the same result:

:~$ curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200
Enter host password for user 'elastic':
curl: (77) error setting certificate verify locations:
  CAfile: /etc/elasticsearch/certs/http_ca.crt
  CApath: /etc/ssl/certs

I reproduced the issue on Ubuntu 22.04. Can you check this? It looks like a permission issue on my system, so I am wondering if you have the same issue.

$ ls -l /etc/elasticsearch/certs/http_ca.crt
ls: cannot access '/etc/elasticsearch/certs/http_ca.crt': Permission denied

On my Ubuntu system, /etc/Elasticsearch was created without global read/execute permission.

$ ls -l /etc | grep elasticsearch
drwxr-s---  4 root elasticsearch  4096 Jun 17 09:21 elasticsearch

$ ls -l /var/log | grep elasticsearch
drwxr-s---  2 elasticsearch     elasticsearch       4096 Jun 17 09:29 elasticsearch

A quick workaround could be:

chmod a+rx /etc/elasticsearch/ /etc/elasticsearch/certs
chmod a+r /etc/elasticsearch/certs/http_ca.crt

Be careful to not give global read permissions to sensitive files in those directories, such as elasticsearch.keystore.

1 Like

Another option could be to add /etc/elasticsearch/certs/http_ca.crt to the default location used by curl.

sudo apt install curl-config
sudo curl-config --configure
sudo cp /etc/elasticsearch/certs/http_ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

This appears to have worked for me. curl is returning the expected results now.

Looking at the permissions on my Ubuntu 20.04 install, I was getting the same as you. Appears no permissions were set for 'others'. Not sure if that's an Ubuntu-specific thing or if that's just not considered in the .deb install.

2 Likes

I am happy to hear it is working for you now.

I have a note to follow up on the .deb install permissions.

Thank you.

Hello. I opened a bug report in GitHub to track this problem. You can track progress there. Thank you!