Setup-Passwords script fails when ssl.keystore.password is not set

Hi All,

i installed ES 6.1.3 with X-Pack. The Steps:

  1. generate CA (with the Certutil)

  2. generate certs for each node signed y the CA in a pkc12 keystore with a password set.

  3. copied Elasticsearch on each node (tar.gz)

  4. used elasticsearch-keystore to set the pkcs12 keystore-password

    cat /path/to/pwfile.txt | /opt/elasticsearch/product/bin/elasticsearch-keystore add --stdin xpack.ssl.keystore.secure_password 
    
  5. start all nodes - > all fine, the cluster is formed and the master is elected

  6. calling setup-passwords gives me following exception:

    `/opt/elasticsearch/product/bin/x-pack/setup-passwords auto --batch -u 
     https://ls01127y:9200/ Exception in thread "main" ElasticsearchException[failed to initialize 
     a KeyManagerFactory]; 
    nested: IOException[keystore password was incorrect]; 
    nested: UnrecoverableKeyException[failed to decrypt safe contents entry: 
    javax.crypto.BadPaddingException: Given final block not properly padded];
     at org.elasticsearch.xpack.ssl.StoreKeyConfig.createKeyManager(StoreKeyConfig.java:84)
     at org.elasticsearch.xpack.ssl.SSLService.createSslContext(SSLService.java:410)
     at org.elasticsearch.xpack.ssl.SSLService.loadSSLConfigurations(SSLService.java:444)
     at org.elasticsearch.xpack.ssl.SSLService.<init>(SSLService.java:87)
     at org.elasticsearch.xpack.security.authc.esnative.tool.CommandLineHttpClient.postURL(CommandLineHttpClient.java:91)
     at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$SetupCommand.checkElasticKeystorePasswordValid(SetupPasswordTool.java:278)
     at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$AutoSetup.execute(SetupPasswordTool.java:127)
     at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
     at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
     at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:75)
     at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
     at org.elasticsearch.cli.Command.main(Command.java:90)
     at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool.main(SetupPasswordTool.java:105)
    Caused by: java.io.IOException: keystore password was incorrect
     at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2015)
     at java.security.KeyStore.load(KeyStore.java:1445)
     at org.elasticsearch.xpack.ssl.StoreKeyConfig.getKeyStore(StoreKeyConfig.java:126)
     at org.elasticsearch.xpack.ssl.StoreKeyConfig.createKeyManager(StoreKeyConfig.java:80)
     ... 12 more
    Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
    ... 16 more`
    

It seems that the password for the Keystore ist incorrect but the nodes have formed the cluster so this could not be.

OK than i did following:

  1. Stop the Node

  2. Add the setting (xpack.ssl.keystore.password) to the elasticsearch.yml

  3. Start the node

  4. Calling setup-password now works, the passwords are set, but i get following deprecation-message:

    09:08:20.891 [main] WARN  org.elasticsearch.deprecation.common.settings.Settings - [keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version.
    

So, i am a bit confused. Why it isn't enough to set the "secure_password" - maybe it is a bug?
I did'n find the deprecation in the "breaking changes" section of ES 7.0 or x-pack.

For all Calls is source our environment (to set ES_PATH_CONF and so on...) and set JAVA_HOME. We use jdk 1.8.

Has someone an idea?

Greetings,

Jupp

It is a bug. setup-passwords only reads from the elasticsearch.yml and not from elasticsearch.keystore. We will fix that in an upcoming release.

OK, thanks for the info. I think since this is X-Pack, there won't be a bug number that I can track - will there?

No, there is no publically available issue to track.
For now you'll just need to keep an eye on release notes.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.