Trying to set up TLS on Elastic CLuster

I'm getting an error in the java log.
Caused by: access denied ("" "/usr/share/elasticsearch/config/certs/elastic-node-tls-ca.p12" "read")

Checking the permissions it looks like the elasticsearch group has read access. The file is owned by root. What should I change to allow elasticsearch to have access to it and keep it secure. :sunglasses:

@bigdamhero can you please confirm that the file is under the elasticsearch config dir? In configuration do you use relative paths?

Thanks for the reply Albert! I am a little unsure about the relative path.

I created a directory /config..

Here is my entry from my .yml /usr/share/elasticsearch/config/certs/elastic-node-tls-ca.p12

Should that be shortened? If so what should It look like?
Thanks again!!

When you start Elasticsearch, near the top of the log there should be a message that says something like:

[2018-08-07T01:01:01,000][INFO ][o.e.n.Node               ] JVM arguments [ ... ]

In that log entry, what is-Des.path.conf set to?


Is that where the config folder "should" be?

Is that where the config folder "should" be?

It can bee anywhere you like. BUT from

Copy the applicable .p12 file into a directory within the Elasticsearch configuration directory on each node.

Therefore, the problem is that /usr/share/elasticsearch/config/certs/elastic-node-tls-ca.p12 is not under /etc/elasticsearch . Either change -Des.path.conf to /usr/share/elasticsearch/config or move elastic-node-tls-ca.p12 under whatever path es.path.conf points to.

This is a security feature to confine the java process under a path jail.

1 Like

That makes perfect sense. I moved the files to live under /ect/elasticsearch. On to the next error.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.