@ikakavas I can chime in as I'm also experiencing this repeatedly on fresh installs of Ubuntu server with 8.0.1.
commands executed:
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
sudo apt-get update && sudo apt-get install elasticsearch
At this point I did receive the Security autoconfiguration information" message as pasted below, but for the password:
--------------------------- Security autoconfiguration information ------------------------------
Authentication and authorization are enabled.
TLS for the transport and HTTP layers is enabled and configured.
The generated password for the elastic built-in superuser is : <password>
If this node should join an existing cluster, you can reconfigure this with
'/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>'
after creating an enrollment token on your existing cluster.
You can complete the following actions at any time:
Reset the password of the elastic built-in superuser with
'/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'.
Generate an enrollment token for Kibana instances with
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'.
Generate an enrollment token for Elasticsearch nodes with
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'.
-------------------------------------------------------------------------------------------------
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable elasticsearch.service
Finally, I ran:
curl --cacert /etc/elasticsearch/config/certs/http_ca.crt -u elastic https://localhost:9200
Where I received this output:
Enter host password for user 'elastic':
curl: (77) error setting certificate verify locations:
CAfile: /etc/elasticsearch/config/certs/http_ca.crt
CApath: /etc/ssl/certs
I attempted:
sudo apt install ca-certificates --reinstall
but that did not help.
cat /etc/elasticsearch/elasticsearch.yml reveals:
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
# Before you set out to tweak and tune the configuration, make sure you
# understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
#cluster.name: my-application
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
#node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /var/lib/elasticsearch
#
# Path to log files:
#
path.logs: /var/log/elasticsearch
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
#network.host: 192.168.0.1
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
#http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
#cluster.initial_master_nodes: ["node-1", "node-2"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Allow wildcard deletion of indices:
#
#action.destructive_requires_name: false
#----------------------- BEGIN SECURITY AUTO CONFIGURATION -----------------------
#
# The following settings, TLS certificates, and keys have been automatically
# generated to configure Elasticsearch security features on 05-03-2022 04:54:44
#
# --------------------------------------------------------------------------------
# Enable security features
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
enabled: true
keystore.path: certs/http.p12
# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
cluster.initial_master_nodes: ["elasticserver"]
# Allow HTTP API connections from localhost and local networks
# Connections are encrypted and require user authentication
http.host: [_local_, _site_]
# Allow other nodes to join the cluster from localhost and local networks
# Connections are encrypted and mutually authenticated
#transport.host: [_local_, _site_]
#----------------------- END SECURITY AUTO CONFIGURATION -------------------------
which seems reasonable / as expected at this point.
ls -laR /etc/elasticsearch/config
Results in:
ls: cannot access '/etc/elasticsearch/config': No such file or directory
which...... seems odd since we would expect it to be there
If I attempt to curl insecurely with curl --cacert /etc/elasticsearch/config/certs/http_ca.crt -u elastic https://localhost:9200 -k
I get:
Enter host password for user 'elastic':
{
"name" : "elasticserver",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "KZc0isHyQL24ZvxQ0ZEmkQ",
"version" : {
"number" : "8.0.1",
"build_flavor" : "default",
"build_type" : "deb",
"build_hash" : "801d9ccc7c2ee0f2cb121bbe22ab5af77a902372",
"build_date" : "2022-02-24T13:55:40.601285296Z",
"build_snapshot" : false,
"lucene_version" : "9.0.0",
"minimum_wire_compatibility_version" : "7.17.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "You Know, for Search"
}
SO. It does seem like there's some certificate wonky-ness here.
I ran find . -name '*.p12' and get:
./etc/elasticsearch/certs/http.p12
./etc/elasticsearch/certs/transport.p12
Also in that same directory is http_ca.crt
I did a mkdir for /etc/Elasticsearch/config/certs/ and then ran cp http_ca.crt /etc/elasticsearch/config/certs/http_ca.crt and that seems to resolve the issue, but it almost seems like a hack, so I'm left wondering if things will still run as expected going forward, as this step was not mentioned in the install instructions.
so apologies for that. I had definitely assumed that the curl command in the instructions would just point to where the .crt file was dropped and the lazy copy/paste approach would just work.