Setting passwords for all built-in users for x-pack


(tabitha) #1

After running the following code in the following directory:
/usr/share/elasticsearch

I ran the following code:

sudo bin/x-pack/setup-passwords interactive

I get the following message:

SSL connection to https://127.0.0.1:9200/_xpack/security/_authenticate?pretty failed: 
Unrecognized SSL message, plaintext connection?
Please check the elasticsearch SSL settings under xpack.security.http.ssl.
 
ERROR: Failed to establish SSL connection to elasticsearch at 
https://127.0.0.1:9200/_xpack/security/_authenticate?pretty

I have installed Elasticsearch 6.1.2, Logstash 6.1.2 and Kibana 6.1.2 on Ubuntu 16.04.3 LTS. I have checked my SSL settings under xpack.security.http.ssl and it is shown below.

elasticsearch.yml file:

#NOTE: Elasticsearch comes with reasonable defaults for most settings.
#Before you set out to tweak and tune the configuration, make sure you
#understand what are you trying to accomplish and the consequences.
#The primary way of configuring a node is via this file. This template lists
#the most important settings you may want to configure for a production cluster.
#Please consult the documentation for further information on configuration options:
#https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
#---------------------------------- Cluster -----------------------------------
#Use a descriptive name for your cluster:
#
cluster.name: ES Cluster1
#
#---------------------------------- Node -----------------------------------
#Use a descriptive name for the node:
#
node.name: ES Node1
#
#Add custom attributes to the node:
#
#node.attr.rack: r1
#
#---------------------------------- Paths -----------------------------------
#Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /var/lib/elasticsearch
#
#Path to log files:
#
path.logs: /var/log/elasticsearch
#
#---------------------------------- Memory -----------------------------------
#Lock the memory on startup:
#bootstrap.memory_lock: true
#
#Make sure that the heap size is set to about half the memory available
#on the system and that the owner of the process is allowed to use this
#limit.
#Elasticsearch performs poorly when the system is swapping the memory.
#
#---------------------------------- Network -----------------------------------
#Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: localhost
#
#Set a custom port for HTTP:
#
http.port: 9200
#
#For more information, consult the network module documentation.
#
#---------------------------------- Discovery -----------------------------------
#Pass an initial list of hosts to perform discovery when new node is started:
#The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.zen.ping.unicast.hosts: ["host1", "host2"]
#
#Prevent the "split brain" by configuring the majority of nodes (total number of master-
#eligible nodes / 2 + 1):
#
#discovery.zen.minimum_master_nodes: 
#
#For more information, consult the zen discovery module documentation.
#
#---------------------------------- Gateway -----------------------------------
#Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
#For more information, consult the gateway module documentation.
#
#---------------------------------- Various -----------------------------------
#Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
#
#---------------------------------- X-Pack -----------------------------------
#automatic index creation, required by X-pack
#
action.auto_create_index: .security,.monitoring*,.watches,.triggered_watches,.watcher-
history*,.ml*
#
#enable TLS on elasticsearch nodes
#
xpack.ssl.keystore.path: certs/elastic-certificates.p12
xpack.ssl.truststore.path: certs/elastic-certificates.p12
#
#enable TLS on the transport networking layer to ensure communication between 
#nodes is encrypted
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
#
#enable TLS on HTTP layer to ensure that communication between HTTP clients and the 
#cluster is encrypted
#
xpack.security.http.ssl.enabled: true

(Tim Vernum) #2

Please make the effort to format your post to be as readable as possible - there's a live preview panel for exactly this reason.

For blocks of configuration or code, please use the </> button to create a "Preformatted text" block.

Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of poorly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.


(Tim Vernum) #3

The setup-passwords tool is trying to connect to port 9200 over SSL and finding what appears to be a plaintext server on the other end.

Your elasticsearch configuration looks correct, so there's a few possibilities to check:

  1. Did you restart ES after setting up that configuration. Elasticsearch does not automatically reload the configuration file, so if you make changes, then you need to restart your nodes.
  2. Are you sure that ES is reading the config file that you think it is? Depending on how you installed Elastisearch, and how you're starting it up, it might be reading from a different file. At the top of your elasticsearch log file, there should be a line that looks like this (below) that will tell you where ES is reading its configuration from.
    ... [INFO ][o.e.n.Node]   JVM arguments [ ... -Des.path.home=/path/to/elasticsearch, -Des.path.conf=/path/to/es-config]
    
  3. Is it possible that you have more than 1 elasticsearch instance running?
  4. Is ES really the process that is listening on port 9200 ? Could something else be running there?

You can also try doing a simple curl connection to ES to check. Run both of these. One of them should fail with an Elasticseach security error, and the other will fail with a curl connection error.

curl 'https://localhost:9200/'
curl 'http://localhost:9200/'

That won't help solve the problem, but it will confirm whether the error message you're getting from setup-passwords is accurate.


(tabitha) #4

Thank you for your reply. I also thank you for the advise on how to post. I did play with it and figured out how to make the post more presentable.

I did restart ES after setting up the configuration. Since I am running Elastic Stack on Ubuntu, I and using the Systemd cmd to stop/start.

Please see the following after running the curl cmds:

curl: (7) Failed to connect to localhost port 9200: Connection refused

When I run the following cmd to setup the passwords, I now get this error:

Connection failure to https://127.0.0.1:9200/_xpack/security/_authenticate?pretty failed: Connection refused (Connection refused)

ERROR: Failed to connect to elasticsearch at https://127.0.0.1:9200/_xpack/security/_authenticate?pretty. Is the URL correct and elasticsearch running?

But I did restart it and now it is not running, however it was running prior to changing the x-pack configurations in the elasticsearch.yml


(Tim Vernum) #5

You'll need to look at the log files for Elasticsearch to find out why it's not starting.

This documentation has guidance on how to work through "Elasticsearch doesn't start" issues under systemd on debian based machine (including Ubuntu)

https://www.elastic.co/guide/en/elasticsearch/reference/6.1/deb.html#deb-running-systemd


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.