Transport ssl cannot read configured

VijayIQA · June 19, 2024, 7:23am

Hi Team,

Created pk12 certification for http and transport as like below steps:

openssl genrsa -out elastic_private_key.pem 2048
openssl req -new -key elastic_private_key.pem -out elastic_csr.pem
openssl x509 -req -days 365 -in elastic_csr.pem -signkey elastic_private_key.pem -out elastic_certificate.pem
openssl pkcs12 -export -out elastic_pkcs12.p12 -inkey elastic_private_key.pem -in elastic_certificate.pem -name "Elasticsearch Certificate"

Also created same for transport
then, did

/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

After that restarted service.

getting an error as

org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured [PKCS12] keystore (as a tru$
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:620) ~[?:?]
        at java.util.HashMap.forEach(HashMap.java:1429) ~[?:?]
        at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1708) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.loadSslConfigurations(SSLService.java:616) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:160) ~[?:?]
        at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:494) ~[?:?]
        at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:323) ~[?:?]
        at org.elasticsearch.node.NodeConstruction.lambda$construct$13(NodeConstruction.java:816) ~[elasticsearch-8.14.1.jar:?]
        at org.elasticsearch.plugins.PluginsService.lambda$flatMap$1(PluginsService.java:253) ~[elasticsearch-8.14.1.jar:?]
        at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:288) ~[?:?]
        at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:212) ~[?:?]
        at java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:722) ~[?:?]
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:556) ~[?:?]
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:546) ~[?:?]
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:622) ~[?:?]
        at java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:291) ~[?:?]
        at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:631) ~[?:?]
        at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:637) ~[?:?]
        at java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:642) ~[?:?]
        at org.elasticsearch.node.NodeConstruction.construct(NodeConstruction.java:816) ~[elasticsearch-8.14.1.jar:?]
        at org.elasticsearch.node.NodeConstruction.prepareConstruction(NodeConstruction.java:266) ~[elasticsearch-8.14.1.jar:?]
        at org.elasticsearch.node.Node.<init>(Node.java:192) ~[elasticsearch-8.14.1.jar:?]
        at org.elasticsearch.bootstrap.Elasticsearch$2.<init>(Elasticsearch.java:240) ~[elasticsearch-8.14.1.jar:?]

Really appreciate if any support on this matter, Thank you.

TimV · June 19, 2024, 11:42pm

You have truncated the error message. It almost certainly says something like

the truststore [elastic_pkcs12.p12] does not contain any trusted certificate entries

What you have created with OpenSSL is a keystore, not a truststore. If you want to create a truststore you need to use elasticsearch-certutil or the JDK's keytool.

But why are you converting your PEM files into PKCS#12? Elasticsearch can handle PEM perfectly fine, there's no need to convert anything.