Running X-Pack on Cluster in an Enclave

I have an ES Cluster that is in an enclave with a private network and no internet access. Can I request the basic license, transfer that license file to the cluster in the enclave and then install the license and be good to go or is there some kind of reach back to validated the license? I tried doing what I suggested and get the following response from Elasticsearch.


In my experience, elasticsearch licenses are not checked against external servers (our servers do not have access to internet whatsoever). Maybe your license key is invalid and cannot be matched against what elasticsearch is expecting or maybe your license has expired.

Thanks....I retyped the license file on the server in the enclave but still get the same response. I confirmed that the JSON is valid but must be missing something. I'm assuming that if security is disabled I can just run without defining a user.

curl -XPUT http://localhost:9200/_xpack/license -d @license_xpack.json

The problem is unlikely to have anything to do with network checks - we don't require you to be connected to the internet for license updates.

If the license file isn't corrupt, then the most likely cause of the problem is clock issues - does your server have the correct date and time? That can cause the license to be rejected.

The date on all my servers is UMT Zulu time so there should be no issue there. Is there any way to get more detail from the error?

Do you have something showing up in your logs ? How did you transfer your license file to your server (if you are using FTP in ascii mode, you might encounter some encoding issues leading to the corruption of the license file) ?

I have to check the logs but I just had to restart the server so I'm waiting for Elasticsearch to come back online. I had no way to transfer the file so I just retyped in on the enclave server. I verified the file for valid json and have checked the signature at least 3 times to ensure it wasn't missing anything.

It really does sound like something has gone wrong when you retyped the licence. The validation is quite strict, so the smallest difference could cause this sort of failure. Despite your efforts, that seems like the most probable cause.

Since Elasticsearch and X-Pack have been installed on the server, there must be some way to copy data across. I really think that's your best option.

Otherwise, do you have access to some sort of hashing utility? md5sum or the like? Can you verify that the hash of the file on the enclave server matches the original?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.