Public key protected PKCS12 not supported

I want to use winbeat with siem, so I config elasticsearch 7.8 with TLS/SSL.
I create cert files with this instruction.
https://www.elastic.co/guide/en/elasticsearch/reference/7.7/configuring-tls.html#configuring-tls
all cert files have an blank password.

cert file creation should be no problem because I successful create a 3-node elasticsearch cluster, it works fine. As I use this same commands with ansible to create a new elasticsearch cluster. I got following errors.

my config file

[root@elk1 elasticsearch]# pwd
/etc/elasticsearch
[root@elk1 elasticsearch]# ls -lha
合計 68K
drwxr-s---.  3 root elasticsearch 4.0K  6月 26 19:54 .
drwxr-xr-x. 82 root root          8.0K  6月 26 14:50 ..
-rw-r--r--.  1 root elasticsearch   76  6月 26 14:50 .elasticsearch.keystore.initial_md5sum
-rw-rw----.  1 root elasticsearch 3.4K  6月 26 14:50 elastic-certificates.p12
-rw-rw----.  1 root elasticsearch  253  6月 26 14:56 elasticsearch.keystore
-rw-rw----.  1 root elasticsearch 1.3K  6月 26 19:54 elasticsearch.yml
-rw-rw----.  1 root elasticsearch 3.4K  6月 26 15:46 http.p12
-rw-rw----.  1 root elasticsearch 2.0K  6月 26 14:50 jvm.options
drwxr-s---.  2 root elasticsearch    6  6月 15 04:43 jvm.options.d
-rw-rw----.  1 root elasticsearch  18K  6月 15 04:40 log4j2.properties
-rw-rw----.  1 root elasticsearch  473  6月 15 04:40 role_mapping.yml
-rw-rw----.  1 root elasticsearch  197  6月 15 04:40 roles.yml
-rw-rw----.  1 root elasticsearch    0  6月 15 04:40 users
-rw-rw----.  1 root elasticsearch    0  6月 15 04:40 users_roles
[root@elk1 elasticsearch]# cat elasticsearch.yml
#################################### Essential ####################################

#cluster name
cluster.name: es1
#node name
node.name: elk1

#bind to loopback addresses
network.host: 0.0.0.0

discovery.seed_hosts: ["elk1","elk2","elk3"]
cluster.initial_master_nodes: ["elk1","elk2","elk3"]
discovery.zen.minimum_master_nodes: 2

#################################### Paths ####################################

# Path to directory containing configuration (this file and logging.yml):
path.data: /var/lib/elasticsearch

path.logs: /var/log/elasticsearch

#action.destructive_requires_name: true
xpack.security.enabled: true
# This turns on SSL for the HTTP (Rest) interface
xpack.security.http.ssl.enabled: true

# This configures the keystore to use for SSL on HTTP
xpack.security.http.ssl.keystore.path: "http.p12"
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: "/etc/elasticsearch/elastic-certificates.p12"
xpack.security.transport.ssl.truststore.path: "/etc/elasticsearch/elastic-certificates.p12"

errors

[2020-06-26T19:54:28,718][INFO ][o.e.n.Node               ] [elk1] node name [elk1], node ID [w7ZoWNmvSGuuKCCAku5FKA], cluster name [es1]
[2020-06-26T19:54:35,019][ERROR][o.e.b.Bootstrap          ] [elk1] Exception
org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:528) ~[?:?]
        at java.util.HashMap.forEach(HashMap.java:1289) ~[?:1.8.0_252]
        at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1507) ~[?:1.8.0_252]
        at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:524) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:142) ~[?:?]
        at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:397) ~[?:?]
        at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:263) ~[?:?]
        at org.elasticsearch.node.Node.lambda$new$11(Node.java:484) ~[elasticsearch-7.8.0.jar:7.8.0]
        at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:269) ~[?:1.8.0_252]
        at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1382) ~[?:1.8.0_252]
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482) ~[?:1.8.0_252]
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472) ~[?:1.8.0_252]
        at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_252]
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_252]
        at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566) ~[?:1.8.0_252]
        at org.elasticsearch.node.Node.<init>(Node.java:488) ~[elasticsearch-7.8.0.jar:7.8.0]
        at org.elasticsearch.node.Node.<init>(Node.java:266) ~[elasticsearch-7.8.0.jar:7.8.0]
        at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:227) ~[elasticsearch-7.8.0.jar:7.8.0]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:227) ~[elasticsearch-7.8.0.jar:7.8.0]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:393) [elasticsearch-7.8.0.jar:7.8.0]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:170) [elasticsearch-7.8.0.jar:7.8.0]
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:161) [elasticsearch-7.8.0.jar:7.8.0]
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-7.8.0.jar:7.8.0]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127) [elasticsearch-cli-7.8.0.jar:7.8.0]
        at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-7.8.0.jar:7.8.0]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126) [elasticsearch-7.8.0.jar:7.8.0]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-7.8.0.jar:7.8.0]
Caused by: org.elasticsearch.ElasticsearchException: failed to initialize SSL TrustManager
        at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:74) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:437) ~[?:?]
        at java.util.HashMap.computeIfAbsent(HashMap.java:1127) ~[?:1.8.0_252]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:526) ~[?:?]
        ... 26 more
Caused by: java.io.IOException: public key protected PKCS12 not supported
        at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1958) ~[?:?]
        at java.security.KeyStore.load(KeyStore.java:1445) ~[?:1.8.0_252]
        at org.elasticsearch.xpack.core.ssl.TrustConfig.getStore(TrustConfig.java:97) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:65) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:437) ~[?:?]
        at java.util.HashMap.computeIfAbsent(HashMap.java:1127) ~[?:1.8.0_252]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:526) ~[?:?]
        ... 26 more
[2020-06-26T19:54:35,025][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [elk1] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager]; nested: IOException[public key protected PKCS12 not supported];
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:174) ~[elasticsearch-7.8.0.jar:7.8.0]
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:161) ~[elasticsearch-7.8.0.jar:7.8.0]
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-7.8.0.jar:7.8.0]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127) ~[elasticsearch-cli-7.8.0.jar:7.8.0]
        at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-7.8.0.jar:7.8.0]

Any advice will be helpful.
Thank you in advance.

I found the reason.
It seems ansible cannot deliver cert files correctly.

I create cert files in advance and deliver them with ansible template modules.
ES service started with error.
If I deliver cert files with scp command.
ES service started without problem.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.