Securing Elasticsearch Could not resolve placeholder

wwalker · June 24, 2019, 4:33am

Testing TLS integration in a single node Elastic Stack setup. Ive run the following:

./bin/elasticsearch-keystore create
./bin/elasticsearch-keystore add certkey

Then added the following lines to elasticsearch.yml

xpack.security.fips_mode.enabled: true
xpack.security.authc.accept_default_password: false
xpack.security.authc.password_hashing.algorithm: "pbkdf2_1000"
xpack.security.authc.api_key.hashing.algorithm: "pbkdf2_1000"
xpack.security.authc.api_key.cache.hash_algo: "pbkdf2_1000"
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.supported_protocols: [ "TLSv1.3", "TLSv1.2" ]
xpack.security.http.ssl.cipher_suites: [ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" ]
xpack.security.http.ssl.keystore.path: "c:/ES7.1/Config/elastic.pfx"
xpack.security.http.ssl.keystore.type: "PKCS#12"
xpack.security.http.ssl.keystore.secure_password: "${certkey}"
xpack.security.http.ssl.keystore.secure_key_password: "${certkey}"
xpack.security.http.ssl.truststore.path: "c:/ES7.1/Config/elastic.pfx"
xpack.security.http.ssl.truststore.type: "PKCS#12"
xpack.security.http.ssl.truststore.secure_password: "${certkey}"
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.supported_protocols: [ "TLSv1.3", "TLSv1.2" ]
xpack.security.transport.ssl.client_authentication: "required"
xpack.security.transport.ssl.cipher_suites: [ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" ]
xpack.security.transport.ssl.keystore.path: "c:/ES7.1/Config/elastic.pfx"
xpack.security.transport.ssl.keystore.type: "PKCS#12"
xpack.security.transport.ssl.keystore.secure_password: "${certkey}"
xpack.security.transport.ssl.keystore.secure_key_password: "${certkey}"
xpack.security.transport.ssl.truststore.path: "c:/ES7.1/Config/elastic.pfx"
xpack.security.transport.ssl.truststore.type: "PKCS#12"
xpack.security.transport.ssl.truststore.secure_password: "${certkey}"

However, when starting elasticsearch, the following error appears.

Exception in thread "main" java.lang.IllegalArgumentException: Could not resolve placeholder 'certkey'
        at org.elasticsearch.common.settings.PropertyPlaceholder.parseStringValue(PropertyPlaceholder.java:116)
        at org.elasticsearch.common.settings.PropertyPlaceholder.replacePlaceholders(PropertyPlaceholder.java:69)
        at org.elasticsearch.common.settings.Settings$Builder.replacePropertyPlaceholders(Settings.java:1162)
        at org.elasticsearch.common.settings.Settings$Builder.replacePropertyPlaceholders(Settings.java:1118)
        at org.elasticsearch.node.InternalSettingsPreparer.initializeSettings(InternalSettingsPreparer.java:112)
        at org.elasticsearch.node.InternalSettingsPreparer.prepareEnvironment(InternalSettingsPreparer.java:90)
        at org.elasticsearch.cli.EnvironmentAwareCommand.createEnv(EnvironmentAwareCommand.java:95)
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
        at org.elasticsearch.cli.Command.main(Command.java:90)
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115)
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92)

Where am I going wrong?

Wolfram_Haussig · June 24, 2019, 12:40pm

Elasticsearch works a bit different than the other elastic products in regard to the keystore:
Instead of referencing a key alias which is defined in the keystore elasticsearch only supports specific fields to be added to the keystore. Those are specially marked in the settings documentation

As example the keystore settings:
Instead of filling the field xpack.security.http.ssl.keystore.password remove the line completely and just set the key xpack.security.http.ssl.truststore.secure_password in the keystore.

This means for you:

remove the secure_* entries from your config
add the secure_* entries to your keystore

system · July 22, 2019, 12:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ES - xpack & https Elasticsearch	2	340	November 4, 2019
Failed to ADD xpack.security.http.ssl.enabled Elasticsearch elastic-stack-security	4	1916	November 11, 2018
Cannot read configured [PKCS12] keystore (as a truststore) Elasticsearch elastic-stack-security	1	7169	November 2, 2022
Elasticsearch failed start when enable x-pack security Elasticsearch elastic-stack-security	13	2434	April 29, 2022
Elasticsearch startup problemse Elasticsearch elastic-stack-security	6	1413	April 4, 2022

Securing Elasticsearch Could not resolve placeholder

Related topics