Hi All,
i installed ES 6.1.3 with X-Pack. The Steps:
-
generate CA (with the Certutil)
-
generate certs for each node signed y the CA in a pkc12 keystore with a password set.
-
copied Elasticsearch on each node (tar.gz)
-
used elasticsearch-keystore to set the pkcs12 keystore-password
cat /path/to/pwfile.txt | /opt/elasticsearch/product/bin/elasticsearch-keystore add --stdin xpack.ssl.keystore.secure_password
-
start all nodes - > all fine, the cluster is formed and the master is elected
-
calling setup-passwords gives me following exception:
`/opt/elasticsearch/product/bin/x-pack/setup-passwords auto --batch -u https://ls01127y:9200/ Exception in thread "main" ElasticsearchException[failed to initialize a KeyManagerFactory]; nested: IOException[keystore password was incorrect]; nested: UnrecoverableKeyException[failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded]; at org.elasticsearch.xpack.ssl.StoreKeyConfig.createKeyManager(StoreKeyConfig.java:84) at org.elasticsearch.xpack.ssl.SSLService.createSslContext(SSLService.java:410) at org.elasticsearch.xpack.ssl.SSLService.loadSSLConfigurations(SSLService.java:444) at org.elasticsearch.xpack.ssl.SSLService.<init>(SSLService.java:87) at org.elasticsearch.xpack.security.authc.esnative.tool.CommandLineHttpClient.postURL(CommandLineHttpClient.java:91) at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$SetupCommand.checkElasticKeystorePasswordValid(SetupPasswordTool.java:278) at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$AutoSetup.execute(SetupPasswordTool.java:127) at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:75) at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) at org.elasticsearch.cli.Command.main(Command.java:90) at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool.main(SetupPasswordTool.java:105) Caused by: java.io.IOException: keystore password was incorrect at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2015) at java.security.KeyStore.load(KeyStore.java:1445) at org.elasticsearch.xpack.ssl.StoreKeyConfig.getKeyStore(StoreKeyConfig.java:126) at org.elasticsearch.xpack.ssl.StoreKeyConfig.createKeyManager(StoreKeyConfig.java:80) ... 12 more Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded ... 16 more`
It seems that the password for the Keystore ist incorrect but the nodes have formed the cluster so this could not be.
OK than i did following:
-
Stop the Node
-
Add the setting (xpack.ssl.keystore.password) to the elasticsearch.yml
-
Start the node
-
Calling setup-password now works, the passwords are set, but i get following deprecation-message:
09:08:20.891 [main] WARN org.elasticsearch.deprecation.common.settings.Settings - [keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version.
So, i am a bit confused. Why it isn't enough to set the "secure_password" - maybe it is a bug?
I did'n find the deprecation in the "breaking changes" section of ES 7.0 or x-pack.
For all Calls is source our environment (to set ES_PATH_CONF and so on...) and set JAVA_HOME. We use jdk 1.8.
Has someone an idea?
Greetings,
Jupp