Setup-Passwords script fails when ssl.keystore.password is not set


Hi All,

i installed ES 6.1.3 with X-Pack. The Steps:

  1. generate CA (with the Certutil)

  2. generate certs for each node signed y the CA in a pkc12 keystore with a password set.

  3. copied Elasticsearch on each node (tar.gz)

  4. used elasticsearch-keystore to set the pkcs12 keystore-password

    cat /path/to/pwfile.txt | /opt/elasticsearch/product/bin/elasticsearch-keystore add --stdin xpack.ssl.keystore.secure_password 
  5. start all nodes - > all fine, the cluster is formed and the master is elected

  6. calling setup-passwords gives me following exception:

    `/opt/elasticsearch/product/bin/x-pack/setup-passwords auto --batch -u 
     https://ls01127y:9200/ Exception in thread "main" ElasticsearchException[failed to initialize 
     a KeyManagerFactory]; 
    nested: IOException[keystore password was incorrect]; 
    nested: UnrecoverableKeyException[failed to decrypt safe contents entry: 
    javax.crypto.BadPaddingException: Given final block not properly padded];
     at org.elasticsearch.xpack.ssl.StoreKeyConfig.createKeyManager(
     at org.elasticsearch.xpack.ssl.SSLService.createSslContext(
     at org.elasticsearch.xpack.ssl.SSLService.loadSSLConfigurations(
     at org.elasticsearch.xpack.ssl.SSLService.<init>(
     at org.elasticsearch.cli.EnvironmentAwareCommand.execute(
     at org.elasticsearch.cli.Command.mainWithoutErrorHandling(
     at org.elasticsearch.cli.MultiCommand.execute(
     at org.elasticsearch.cli.Command.mainWithoutErrorHandling(
     at org.elasticsearch.cli.Command.main(
    Caused by: keystore password was incorrect
     at org.elasticsearch.xpack.ssl.StoreKeyConfig.getKeyStore(
     at org.elasticsearch.xpack.ssl.StoreKeyConfig.createKeyManager(
     ... 12 more
    Caused by: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
    ... 16 more`

It seems that the password for the Keystore ist incorrect but the nodes have formed the cluster so this could not be.

OK than i did following:

  1. Stop the Node

  2. Add the setting (xpack.ssl.keystore.password) to the elasticsearch.yml

  3. Start the node

  4. Calling setup-password now works, the passwords are set, but i get following deprecation-message:

    09:08:20.891 [main] WARN  org.elasticsearch.deprecation.common.settings.Settings - [keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version.

So, i am a bit confused. Why it isn't enough to set the "secure_password" - maybe it is a bug?
I did'n find the deprecation in the "breaking changes" section of ES 7.0 or x-pack.

For all Calls is source our environment (to set ES_PATH_CONF and so on...) and set JAVA_HOME. We use jdk 1.8.

Has someone an idea?



(Tim Vernum) #2

It is a bug. setup-passwords only reads from the elasticsearch.yml and not from elasticsearch.keystore. We will fix that in an upcoming release.


OK, thanks for the info. I think since this is X-Pack, there won't be a bug number that I can track - will there?

(Tim Vernum) #4

No, there is no publically available issue to track.
For now you'll just need to keep an eye on release notes.

(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.