Trying to set up TLS on Elastic CLuster

I'm getting an error in the java log.
Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/usr/share/elasticsearch/config/certs/elastic-node-tls-ca.p12" "read")

Checking the permissions it looks like the elasticsearch group has read access. The file is owned by root. What should I change to allow elasticsearch to have access to it and keep it secure. :sunglasses:

@bigdamhero can you please confirm that the file is under the elasticsearch config dir? In configuration do you use relative paths?

Thanks for the reply Albert! I am a little unsure about the relative path.

I created a directory /config..

Here is my entry from my .yml
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-node-tls-ca.p12

Should that be shortened? If so what should It look like?
Thanks again!!

When you start Elasticsearch, near the top of the log there should be a message that says something like:

[2018-08-07T01:01:01,000][INFO ][o.e.n.Node               ] JVM arguments [ ... ]

In that log entry, what is-Des.path.conf set to?

-Des.path.conf=/etc/elasticsearch,

Is that where the config folder "should" be?

Is that where the config folder "should" be?

It can bee anywhere you like. BUT from https://www.elastic.co/guide/en/elasticsearch/reference/6.2/configuring-tls.html#node-certificates

Copy the applicable .p12 file into a directory within the Elasticsearch configuration directory on each node.

Therefore, the problem is that /usr/share/elasticsearch/config/certs/elastic-node-tls-ca.p12 is not under /etc/elasticsearch . Either change -Des.path.conf to /usr/share/elasticsearch/config or move elastic-node-tls-ca.p12 under whatever path es.path.conf points to.

This is a security feature to confine the java process under a path jail.

1 Like

That makes perfect sense. I moved the files to live under /ect/elasticsearch. On to the next error.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.