Setup-Passwords script fails when ssl.keystore.password is not set


#1

Hi All,

i installed ES 6.1.3 with X-Pack. The Steps:

  1. generate CA (with the Certutil)

  2. generate certs for each node signed y the CA in a pkc12 keystore with a password set.

  3. copied Elasticsearch on each node (tar.gz)

  4. used elasticsearch-keystore to set the pkcs12 keystore-password

    cat /path/to/pwfile.txt | /opt/elasticsearch/product/bin/elasticsearch-keystore add --stdin xpack.ssl.keystore.secure_password 
    
  5. start all nodes - > all fine, the cluster is formed and the master is elected

  6. calling setup-passwords gives me following exception:

    `/opt/elasticsearch/product/bin/x-pack/setup-passwords auto --batch -u 
     https://ls01127y:9200/ Exception in thread "main" ElasticsearchException[failed to initialize 
     a KeyManagerFactory]; 
    nested: IOException[keystore password was incorrect]; 
    nested: UnrecoverableKeyException[failed to decrypt safe contents entry: 
    javax.crypto.BadPaddingException: Given final block not properly padded];
     at org.elasticsearch.xpack.ssl.StoreKeyConfig.createKeyManager(StoreKeyConfig.java:84)
     at org.elasticsearch.xpack.ssl.SSLService.createSslContext(SSLService.java:410)
     at org.elasticsearch.xpack.ssl.SSLService.loadSSLConfigurations(SSLService.java:444)
     at org.elasticsearch.xpack.ssl.SSLService.<init>(SSLService.java:87)
     at org.elasticsearch.xpack.security.authc.esnative.tool.CommandLineHttpClient.postURL(CommandLineHttpClient.java:91)
     at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$SetupCommand.checkElasticKeystorePasswordValid(SetupPasswordTool.java:278)
     at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$AutoSetup.execute(SetupPasswordTool.java:127)
     at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
     at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
     at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:75)
     at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
     at org.elasticsearch.cli.Command.main(Command.java:90)
     at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool.main(SetupPasswordTool.java:105)
    Caused by: java.io.IOException: keystore password was incorrect
     at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2015)
     at java.security.KeyStore.load(KeyStore.java:1445)
     at org.elasticsearch.xpack.ssl.StoreKeyConfig.getKeyStore(StoreKeyConfig.java:126)
     at org.elasticsearch.xpack.ssl.StoreKeyConfig.createKeyManager(StoreKeyConfig.java:80)
     ... 12 more
    Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
    ... 16 more`
    

It seems that the password for the Keystore ist incorrect but the nodes have formed the cluster so this could not be.

OK than i did following:

  1. Stop the Node

  2. Add the setting (xpack.ssl.keystore.password) to the elasticsearch.yml

  3. Start the node

  4. Calling setup-password now works, the passwords are set, but i get following deprecation-message:

    09:08:20.891 [main] WARN  org.elasticsearch.deprecation.common.settings.Settings - [keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version.
    

So, i am a bit confused. Why it isn't enough to set the "secure_password" - maybe it is a bug?
I did'n find the deprecation in the "breaking changes" section of ES 7.0 or x-pack.

For all Calls is source our environment (to set ES_PATH_CONF and so on...) and set JAVA_HOME. We use jdk 1.8.

Has someone an idea?

Greetings,

Jupp


(Tim Vernum) #2

It is a bug. setup-passwords only reads from the elasticsearch.yml and not from elasticsearch.keystore. We will fix that in an upcoming release.


#3

OK, thanks for the info. I think since this is X-Pack, there won't be a bug number that I can track - will there?


(Tim Vernum) #4

No, there is no publically available issue to track.
For now you'll just need to keep an eye on release notes.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.