Unable to load elasticsearch certificate

mangeshmj1992 · May 16, 2022, 12:42pm

Hello team,
I am getting below error on while running Elasticsearch. I have added new certificate and error start coming.

[2022-05-16T11:32:39,322][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [as-dev-2] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL KeyManagerFactory]; nested: CertificateParsingException[signed fields invalid];
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:170) ~[elasticsearch-7.16.3.jar:7.16.3]
	at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:157) ~[elasticsearch-7.16.3.jar:7.16.3]
	at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:77) ~[elasticsearch-7.16.3.jar:7.16.3]
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:112) ~[elasticsearch-cli-7.16.3.jar:7.16.3]
	at org.elasticsearch.cli.Command.main(Command.java:77) ~[elasticsearch-cli-7.16.3.jar:7.16.3]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:122) ~[elasticsearch-7.16.3.jar:7.16.3]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:80) ~[elasticsearch-7.16.3.jar:7.16.3]
Caused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]
	at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:548) ~[?:?]
	at java.util.HashMap.forEach(HashMap.java:1289) ~[?:1.8.0_212-ojdkbuild]
	at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1505) ~[?:1.8.0_212-ojdkbuild]
	at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:544) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:145) ~[?:?]
	at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:525) ~[?:?]
	at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:338) ~[?:?]
	at org.elasticsearch.node.Node.lambda$new$18(Node.java:733) ~[elasticsearch-7.16.3.jar:7.16.3]
	at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:267) ~[?:1.8.0_212-ojdkbuild]
	at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1382) ~[?:1.8.0_212-ojdkbuild]
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482) ~[?:1.8.0_212-ojdkbuild]
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472) ~[?:1.8.0_212-ojdkbuild]
	at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_212-ojdkbuild]
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_212-ojdkbuild]
	at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ~[?:1.8.0_212-ojdkbuild]
	at org.elasticsearch.node.Node.<init>(Node.java:747) ~[elasticsearch-7.16.3.jar:7.16.3]
	at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-7.16.3.jar:7.16.3]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:234) ~[elasticsearch-7.16.3.jar:7.16.3]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:234) ~[elasticsearch-7.16.3.jar:7.16.3]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:434) ~[elasticsearch-7.16.3.jar:7.16.3]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:166) ~[elasticsearch-7.16.3.jar:7.16.3]
	... 6 more
Caused by: org.elasticsearch.ElasticsearchException: failed to initialize SSL KeyManagerFactory
	at org.elasticsearch.xpack.core.ssl.PEMKeyConfig.createKeyManager(PEMKeyConfig.java:74) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:454) ~[?:?]
	at java.util.HashMap.computeIfAbsent(HashMap.java:1127) ~[?:1.8.0_212-ojdkbuild]
	at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:546) ~[?:?]
	at java.util.HashMap.forEach(HashMap.java:1289) ~[?:1.8.0_212-ojdkbuild]
	at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1505) ~[?:1.8.0_212-ojdkbuild]
	at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:544) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:145) ~[?:?]
	at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:525) ~[?:?]
	at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:338) ~[?:?]
	at org.elasticsearch.node.Node.lambda$new$18(Node.java:733) ~[elasticsearch-7.16.3.jar:7.16.3]
	at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:267) ~[?:1.8.0_212-ojdkbuild]
	at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1382) ~[?:1.8.0_212-ojdkbuild]
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482) ~[?:1.8.0_212-ojdkbuild]
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472) ~[?:1.8.0_212-ojdkbuild]
	at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_212-ojdkbuild]
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_212-ojdkbuild]
	at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ~[?:1.8.0_212-ojdkbuild]
	at org.elasticsearch.node.Node.<init>(Node.java:747) ~[elasticsearch-7.16.3.jar:7.16.3]
	at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-7.16.3.jar:7.16.3]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:234) ~[elasticsearch-7.16.3.jar:7.16.3]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:234) ~[elasticsearch-7.16.3.jar:7.16.3]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:434) ~[elasticsearch-7.16.3.jar:7.16.3]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:166) ~[elasticsearch-7.16.3.jar:7.16.3]
	... 6 more
Caused by: java.security.cert.CertificateParsingException: signed fields invalid
	at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1791) ~[?:?]
	at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195) ~[?:?]
	at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:471) ~[?:?]
	at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:356) ~[?:?]
	at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:462) ~[?:1.8.0_212-ojdkbuild]
	at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readCertificates(CertParsingUtils.java:100) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.PEMKeyConfig.getCertificateChain(PEMKeyConfig.java:81) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.PEMKeyConfig.createKeyManager(PEMKeyConfig.java:70) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:454) ~[?:?]
	at java.util.HashMap.computeIfAbsent(HashMap.java:1127) ~[?:1.8.0_212-ojdkbuild]
	at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:546) ~[?:?]
	at java.util.HashMap.forEach(HashMap.java:1289) ~[?:1.8.0_212-ojdkbuild]
	at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1505) ~[?:1.8.0_212-ojdkbuild]
	at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:544) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:145) ~[?:?]
	at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:525) ~[?:?]
	at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:338) ~[?:?]
	at org.elasticsearch.node.Node.lambda$new$18(Node.java:733) ~[elasticsearch-7.16.3.jar:7.16.3]
	at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:267) ~[?:1.8.0_212-ojdkbuild]
	at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1382) ~[?:1.8.0_212-ojdkbuild]
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482) ~[?:1.8.0_212-ojdkbuild]
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472) ~[?:1.8.0_212-ojdkbuild]
	at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_212-ojdkbuild]
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_212-ojdkbuild]
	at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ~[?:1.8.0_212-ojdkbuild]
	at org.elasticsearch.node.Node.<init>(Node.java:747) ~[elasticsearch-7.16.3.jar:7.16.3]
	at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-7.16.3.jar:7.16.3]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:234) ~[elasticsearch-7.16.3.jar:7.16.3]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:234) ~[elasticsearch-7.16.3.jar:7.16.3]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:434) ~[elasticsearch-7.16.3.jar:7.16.3]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:166) ~[elasticsearch-7.16.3.jar:7.16.3]
	... 6 more

ibra_013 · May 16, 2022, 6:21pm

Hi,

Could you please share the steps you have done?

TimV · May 17, 2022, 12:13am

This is almost certainly caused by pointing xpack.security.transport.ssl.certificate to a file that isn't actually a certificate.

If you provide a copy of your configuration (elasticsearch.yml) then we can help diagnose it.

mangeshmj1992 · May 17, 2022, 6:18am

Hello @TimV ,
Thank you so much for your reply.

Pfb data:

# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------

cluster.name: abc-elk-dev
# ------------------------------------ Node ------------------------------------

node.name: abc-dev-2

# ----------------------------------- Paths ------------------------------------
path.logs: /var/log/elasticsearch/elk.log1

# ---------------------------------- Network -----------------------------------

http.port: 9200

# --------------------------------- Discovery ----------------------------------

discovery.zen.ping.unicast.hosts: ["pldevelk03.abc.net", "pldevelk04.abc.net"]

discovery.zen.minimum_master_nodes: 2

##-----------------Current settings --------------------------
xpack.security.enabled: true
xpack:
  security:
    authc:
      realms:
        active_directory:
          canon_ad:
            order: 0
            domain_name: abc.net
            url: ldap://abc.net:389
xpack.security.authc.realms.native.native1.order: 1
            
            
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.key: /etc/elasticsearch/certificates/private-key.pem
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certificates/lk.pem
xpack.security.transport.ssl.certificate_authorities:
- /etc/elasticsearch/certificates/DigiCertGlobalRootCA.crt.pem
- /etc/elasticsearch/certificates/DigiCertTLSRSASHA2562020CA1-1.crt.pem

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key:  /etc/elasticsearch/certificates/private-key.pem
xpack.security.http.ssl.certificate: /etc/elasticsearch/certificates/lk.pem
xpack.security.http.ssl.certificate_authorities:
- /etc/elasticsearch/certificates/DigiCertGlobalRootCA.crt.pem
- /etc/elasticsearch/certificates/DigiCertTLSRSASHA2562020CA1-1.crt.pem

http.max_content_length: 2147483647b

xpack.monitoring.enabled: true
xpack.monitoring.collection.enabled: true
xpack.monitoring.collection.interval: 60s
xpack.monitoring.history.duration: 7d
xpack.monitoring.elasticsearch.collection.enabled: true



xpack.notification.email.account:
    outlook_account:
        profile: outlook
        smtp:
            auth: true
            starttls.enable: true
            host: smtpnpd.mk.net 
            port: 25
            user: abc@nprd.support.pp.com

reindex.remote.whitelist: 172.24.217.21:9204

system · June 14, 2022, 6:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.