Unable to configure Wildcard certificate in Elasticsearch

Sathish22 · August 4, 2021, 4:05am

Hi Team,

We are facing issue replacing wildcard certificate with self-signed certificate, due to below issue.

Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded.
Such issues can arise if a bad key is used during decryption.
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2103) ~[?:?]
        at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:220) ~[?:?]
        at java.security.KeyStore.load(KeyStore.java:1472) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.TrustConfig.getStore(TrustConfig.java:97) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:65) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:437) ~[?:?]
        at java.util.HashMap.computeIfAbsent(HashMap.java:1224) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:526) ~[?:?]
        at java.util.HashMap.forEach(HashMap.java:1425) ~[?:?]
        at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1521) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:524) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:142) ~[?:?]
        at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:455) ~[?:?]
        at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:288) ~[?:?]
        at org.elasticsearch.node.Node.lambda$new$15(Node.java:553) ~[elasticsearch-7.10.0.jar:7.10.0]

PFB elasticsearch.yml configuration for SSL

xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.path: /opt/elasticsearch/config/xxxxxx.p12
xpack.security.http.ssl.truststore.path: /opt/elasticsearch/config/xxxxxx.p12
xpack.security.http.ssl.truststore.type: PKCS12
xpack.security.http.ssl.client_authentication: required
xpack.security.http.ssl.keystore.password: xxxxxxxxxx

Please let me know we are using any wrong configuration or missing any configuration commands.

Thanks,
Sathish Thumma.

TimV · August 4, 2021, 4:56am

It doesn't look like you have provided a truststore.password

system · September 1, 2021, 4:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.