Reset password in Elasticsearch does not work

sharbich · October 25, 2022, 1:13pm

Hello everyone, I have installed my own certificates on my Elasticsearch Server.

root CA
Server certificate
All certificates are self-signed. I now want to reset the password for the "logstash_system" user and get the following error message

root@dsme01:/usr/share/elasticsearch# bin/elasticsearch-reset-password -u logstash_system -i
warning: ignoring JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/; using bundled JDK
14:18:05.030 [main] WARN org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [192.168.20.10]; the server provided a certificate with subject name [DC=de,DC=example,O=harbich,OU=pki,CN=node1.elasticsearch.intern.example.de,UID=node1.elasticsearch.intern.example.de], fingerprint [4d4e8a6eef37f6426b429b0cf629c197a43ce0dc], keyUsage [digitalSignature, keyEncipherment] and extendedKeyUsage [serverAuth]; the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate has subject alternative names [DNS:node1.elasticsearch.intern.example.de,IP:192.168.150.20]; the certificate is issued by [C=de,DC=example,O=harbich,OU=pki,CN=HarbichCA] but the server did not provide a copy of the issuing certificate in the certificate chain; the issuing certificate with fingerprint [986fd3571759f36fb888ca53cda9a91b1b40c580] is trusted in this ssl context ([xpack.security.http.ssl (with trust configuration: PEM-trust{/etc/elasticsearch/certs/HarbichCA.cacert.pem})])
java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.20.10 found
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:165) ~[?:?]
at sun.security.util.HostnameChecker.match(HostnameChecker.java:101) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:452) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:426) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:238) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[?:?]
at org.elasticsearch.common.ssl.DiagnosticTrustManager.checkServerTrusted(DiagnosticTrustManager.java:82) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1226) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1169) ~[?:?]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) ~[?:?]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458) ~[?:?]
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:201) ~[?:?]
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1505) ~[?:?]
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1420) ~[?:?]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) ~[?:?]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) ~[?:?]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:578) ~[?:?]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:183) ~[?:?]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:142) ~[?:?]
at org.elasticsearch.xpack.core.common.socket.SocketAccess.lambda$doPrivileged$0(SocketAccess.java:42) ~[?:?]
at java.security.AccessController.doPrivileged(AccessController.java:569) ~[?:?]
at org.elasticsearch.xpack.core.common.socket.SocketAccess.doPrivileged(SocketAccess.java:41) ~[?:?]
at org.elasticsearch.xpack.core.security.CommandLineHttpClient.execute(CommandLineHttpClient.java:178) ~[?:?]
at org.elasticsearch.xpack.core.security.CommandLineHttpClient.execute(CommandLineHttpClient.java:112) ~[?:?]
at org.elasticsearch.xpack.security.tool.BaseRunAsSuperuserCommand.checkClusterHealthWithRetries(BaseRunAsSuperuserCommand.java:214) ~[?:?]
at org.elasticsearch.xpack.security.tool.BaseRunAsSuperuserCommand.execute(BaseRunAsSuperuserCommand.java:127) ~[?:?]
at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:54) ~[elasticsearch-8.4.3.jar:8.4.3]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85) ~[elasticsearch-cli-8.4.3.jar:8.4.3]
at org.elasticsearch.cli.Command.main(Command.java:50) ~[elasticsearch-cli-8.4.3.jar:8.4.3]
at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:64) ~[cli-launcher-8.4.3.jar:8.4.3]

ERROR: Failed to determine the health of the cluster.

Can it be that I still have to activate the imported certificates in KeySore? Or what am I doing wrong.

i need some support

Greetings from Stefan Harbich

sharbich · October 25, 2022, 1:22pm

It is also strange that the IP 192.168.20.10 is mentioned. However, this IP address is not that of the Elasticserver.

sharbich · October 25, 2022, 1:46pm

The solution is to add the following entry to the "elasticsearchyml" file

xpack.security.http.ssl.verification_mode: certificate

system · November 22, 2022, 1:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.