I'm trying to set up SSL/TLS with x-pack and running into this when I point to pem encoded files:
java.lang.IllegalArgumentException: parsed an unsupported object [PKCS8EncryptedPrivateKeyInfo]
at org.elasticsearch.xpack.ssl.CertUtils.readPrivateKey(CertUtils.java:268) ~[?:?]
at org.elasticsearch.xpack.ssl.PEMKeyConfig.readPrivateKey(PEMKeyConfig.java:80) ~[?:?]
elasticsearch.yml includes all of these settings
xpack.ssl.key: /path/to/cakey.pem
xpack.ssl.key_passphrase: password
xpack.ssl.certificate: /path/to/01.pem
xpack.ssl.certificate_authorities: [ "/path/to/cacert.pem" ]
Certgen is the recommended approach to generating certificates for Elasticsearch 5.x with X-Pack. If you are able to use certificates from certgen, that will be the most straightforward approach.
Can you explain why you want to use the old (shield) method?
These don't seem quite right. You have the key pointing to the CA key, but the certificate pointing to 01. xpack.ssl.key should be pointing to 01.key (or perhaps 01key.pem, depending on how it was named)
My guess if that this is caused by the same problem as above - you've gotten your key and cert files mixed up somewhere along the way.
xpack.ssl.certificate
This should be the (public) certificate for your node.
The first line of that file should say: -----BEGIN CERTIFICATE-----
xpack.ssl.key
This should be the key for the certificate above.
The first line of that file should say: -----BEGIN RSA PRIVATE KEY-----
xpack.ssl.key_passphrase
This is the passphrase for the key above.
xpack.ssl.certificate_authorities
These should be the (public) certificates for each of the CAs that you wish to trust.
The first line of each file should say: -----BEGIN CERTIFICATE-----
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.