Problem with keystore password was incorrect

Behzad_Rezaie · February 19, 2019, 7:21am

Hi pals,

I have configured my elasticsearch.yml as follow:

xpack.security.audit.enabled: true
xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.client_authentication: optional

xpack.security.authc.realms.pki1.type: pki

When running the elasticsearch service on Windows, I get the following error:

[2019-02-19T10:40:53,725][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [Some-PC] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.core.XPackPlugin]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:140) ~[elasticsearch-6.5.4.jar:6.5.4]
.
.
.
Caused by: java.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.core.XPackPlugin]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:607) ~[elasticsearch-6.5.4.jar:6.5.4]
.
.
.
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
.
.
.
Caused by: org.elasticsearch.ElasticsearchException: failed to initialize a TrustManagerFactory
at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:61) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:356) ~[?:?]
.
.
.
Caused by: java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059) ~[?:?]
at java.security.KeyStore.load(KeyStore.java:1445) ~[?:1.8.0_202]
.
.
.
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059) ~[?:?]
at java.security.KeyStore.load(KeyStore.java:1445) ~[?:1.8.0_202]

Could you please let me know about the possible reason(s)?

ikakavas · February 19, 2019, 7:33am

Hi

You use a keystore in your configuration

and you get an error regarding the password of that keystore

So it probably means that your keystore is password protected ( you specified a password when creating this with elasticsearch-certutil ) and you need to specify this password in your configuration too, otherwise elasticsearch cannot read the keystore to get the keys and certificates from it. How to do this is already described in detail in our configuration, see the sections that start with
"If you secured the node’s certificate with a password..."

Behzad_Rezaie · February 19, 2019, 8:27am

Firstly, thanks for your reply.

Secondly, I did the following commands:

bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password

bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

and set the passwords again. When running the elasticsearch with the previous mentioned config (first post), again the same error occurred!

ikakavas · February 19, 2019, 8:39am

Did you restart elasticsearch after you added the passwords to the secure settings as you show above?

Please share the error logs every time, even if they look similar.

The most obvious reason is that you used the wrong password. Can you please verify that the correct password is used by running:

openssl pkcs12 -info -in /the/path/to/your/certs/elastic-certificates.p12

and entering the password you have configured?

Behzad_Rezaie · February 19, 2019, 9:32am

Thanks so much for your help. I did the steps mentioned here one-by-one from the beginning and it worked now.

prerna · February 19, 2019, 6:58pm

May i know what steps you tried to solve this issue, I am getting same error?
Can you please help?

Behzad_Rezaie · February 23, 2019, 6:31am

I, firstly, just removed all the files generated. Then ran the commands mentioned in the article to generate the keys. The problem I had before was that after generation of the keys, I had not restarted the Elastic Search service! (Step 4 - Restart Elasticsearch)

system · March 23, 2019, 6:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.