Unable to run ElasticSearch after setting up SSL certificate

RonH8 · August 24, 2022, 7:51am

Hey
I've followed the following guide to setup the SSL certificate for my Elasticsearch which is running on Ubuntu 22.04.1 LTS: https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup.html
It's my first time setting up Elasticsearch, thus I only run it on 1 server (which means I use 1 node for now, which also runs Kibana).
Basically, I've run the following:

sudo su
cd /usr/share/elasticsearch
./bin/elasticsearch-certutil ca
Enter (to accept the default name elastic-stack-ca.p12)
Password was entered
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
Enter (to accept the default name elastic-certificates.p12)
The SAME password was entered
chown root:elasticsearch elastic-certificates.p12
chmod 660 elastic-certificates.p12
mv elastic-certificates.p12 /etc/elasticsearch
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
SAME password was entered
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
SAME password was entered

This is my /etc/elasticsearch/elasticsearch.yml:

# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: IT-Network
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
#node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /var/lib/elasticsearch
#
# Path to log files:
#
path.logs: /var/log/elasticsearch
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
#network.host: 192.168.0.1
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
#http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
#cluster.initial_master_nodes: ["node-1", "node-2"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# --------------------------------- Readiness ----------------------------------
#
# Enable an unauthenticated TCP readiness endpoint on localhost
#
#readiness.port: 9399
#
# ---------------------------------- Various -----------------------------------
#
# Allow wildcard deletion of indices:
#
#action.destructive_requires_name: false
 
#----------------------- BEGIN SECURITY AUTO CONFIGURATION -----------------------
#
# The following settings, TLS certificates, and keys have been automatically      
# generated to configure Elasticsearch security features on 23-08-2022 12:55:53
#
# --------------------------------------------------------------------------------
 
# Enable security features
xpack.security.enabled: true
 
xpack.security.enrollment.enabled: true
 
# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: elastic-certificates.p12
  truststore.path: elastic-certificates.p12
 
# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  client_authentication: required
  keystore.path: elastic-certificates.p12
  truststore.path: elastic-certificates.p12
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
cluster.initial_master_nodes: ["ElasticSearch-Kibana"]
 
# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0
 
# Allow other nodes to join the cluster from anywhere
# Connections are encrypted and mutually authenticated
#transport.host: 0.0.0.0
 
#----------------------- END SECURITY AUTO CONFIGURATION -------------------------

Then, I restart the service using systemctl restart elasticsearch.service. Then I get an error message which directs me to the log file, which indicates that my SSL certificate password is incorrect, but I'm 100% sure that I've typed the SAME password in all of the steps above:

[2022-08-24T10:49:15,922][INFO ][o.e.n.Node               ] [ElasticSearch-Kibana] version[8.3.3], pid[49547], build[deb/801fed82df74dbe537f89b71b098ccaff88d2c56/2022-07-23T19:30:09.227964828Z], OS[Linux/5.15.0-46-generic/amd64], JVM[Oracle Corporation/OpenJDK 64-Bit Server VM/18.0.2/18.0.2+9-61]
[2022-08-24T10:49:15,927][INFO ][o.e.n.Node               ] [ElasticSearch-Kibana] JVM home [/usr/share/elasticsearch/jdk], using bundled JDK [true]
[2022-08-24T10:49:15,928][INFO ][o.e.n.Node               ] [ElasticSearch-Kibana] JVM arguments [-Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -Djava.security.manager=allow, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Dlog4j2.formatMsgNoLookups=true, -Djava.locale.providers=SPI,COMPAT, --add-opens=java.base/java.io=ALL-UNNAMED, -XX:+UseG1GC, -Djava.io.tmpdir=/tmp/elasticsearch-13312618059249404985, -XX:+HeapDumpOnOutOfMemoryError, -XX:+ExitOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/elasticsearch, -XX:ErrorFile=/var/log/elasticsearch/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Xms3974m, -Xmx3974m, -XX:MaxDirectMemorySize=2083520512, -XX:G1HeapRegionSize=4m, -XX:InitiatingHeapOccupancyPercent=30, -XX:G1ReservePercent=15, -Des.distribution.type=deb, --module-path=/usr/share/elasticsearch/lib, -Djdk.module.main=org.elasticsearch.server]
[2022-08-24T10:49:17,984][INFO ][c.a.c.i.j.JacksonVersion ] [ElasticSearch-Kibana] Package versions: jackson-annotations=2.13.2, jackson-core=2.13.2, jackson-databind=2.13.2.2, jackson-dataformat-xml=2.13.2, jackson-datatype-jsr310=2.13.2, azure-core=1.27.0, Troubleshooting version conflicts: https://aka.ms/azsdk/java/dependency/troubleshoot
[2022-08-24T10:49:19,508][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [aggs-matrix-stats]
[2022-08-24T10:49:19,509][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [analysis-common]
[2022-08-24T10:49:19,509][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [constant-keyword]
[2022-08-24T10:49:19,509][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [data-streams]
[2022-08-24T10:49:19,509][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [frozen-indices]
[2022-08-24T10:49:19,509][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [ingest-common]
[2022-08-24T10:49:19,510][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [ingest-geoip]
[2022-08-24T10:49:19,510][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [ingest-user-agent]
[2022-08-24T10:49:19,510][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [kibana]
[2022-08-24T10:49:19,510][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [lang-expression]
[2022-08-24T10:49:19,511][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [lang-mustache]
[2022-08-24T10:49:19,511][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [lang-painless]
[2022-08-24T10:49:19,511][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [legacy-geo]
[2022-08-24T10:49:19,511][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [mapper-extras]
[2022-08-24T10:49:19,512][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [mapper-version]
[2022-08-24T10:49:19,512][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [old-lucene-versions]
[2022-08-24T10:49:19,512][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [parent-join]
[2022-08-24T10:49:19,512][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [percolator]
[2022-08-24T10:49:19,512][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [rank-eval]
[2022-08-24T10:49:19,513][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [reindex]
[2022-08-24T10:49:19,513][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [repositories-metering-api]
[2022-08-24T10:49:19,513][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [repository-azure]
[2022-08-24T10:49:19,513][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [repository-encrypted]
[2022-08-24T10:49:19,513][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [repository-gcs]
[2022-08-24T10:49:19,514][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [repository-s3]
[2022-08-24T10:49:19,514][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [repository-url]
[2022-08-24T10:49:19,514][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [runtime-fields-common]
[2022-08-24T10:49:19,514][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [search-business-rules]
[2022-08-24T10:49:19,515][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [searchable-snapshots]
[2022-08-24T10:49:19,515][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [snapshot-based-recoveries]
[2022-08-24T10:49:19,515][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [snapshot-repo-test-kit]
[2022-08-24T10:49:19,515][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [spatial]
[2022-08-24T10:49:19,515][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [systemd]
[2022-08-24T10:49:19,516][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [transform]
[2022-08-24T10:49:19,516][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [transport-netty4]
[2022-08-24T10:49:19,516][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [unsigned-long]
[2022-08-24T10:49:19,516][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [vector-tile]
[2022-08-24T10:49:19,516][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [vectors]
[2022-08-24T10:49:19,517][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [wildcard]
[2022-08-24T10:49:19,517][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-aggregate-metric]
[2022-08-24T10:49:19,517][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-analytics]
[2022-08-24T10:49:19,517][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-async]
[2022-08-24T10:49:19,518][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-async-search]
[2022-08-24T10:49:19,518][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-autoscaling]
[2022-08-24T10:49:19,518][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-ccr]
[2022-08-24T10:49:19,518][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-core]
[2022-08-24T10:49:19,518][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-deprecation]
[2022-08-24T10:49:19,519][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-enrich]
[2022-08-24T10:49:19,519][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-eql]
[2022-08-24T10:49:19,519][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-fleet]
[2022-08-24T10:49:19,519][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-graph]
[2022-08-24T10:49:19,519][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-identity-provider]
[2022-08-24T10:49:19,520][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-ilm]
[2022-08-24T10:49:19,520][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-logstash]
[2022-08-24T10:49:19,520][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-ml]
[2022-08-24T10:49:19,520][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-monitoring]
[2022-08-24T10:49:19,520][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-ql]
[2022-08-24T10:49:19,521][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-rollup]
[2022-08-24T10:49:19,521][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-security]
[2022-08-24T10:49:19,521][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-shutdown]
[2022-08-24T10:49:19,521][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-sql]
[2022-08-24T10:49:19,521][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-stack]
[2022-08-24T10:49:19,522][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-text-structure]
[2022-08-24T10:49:19,522][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-voting-only-node]
[2022-08-24T10:49:19,522][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] loaded module [x-pack-watcher]
[2022-08-24T10:49:19,522][INFO ][o.e.p.PluginsService     ] [ElasticSearch-Kibana] no plugins loaded
[2022-08-24T10:49:23,155][INFO ][o.e.e.NodeEnvironment    ] [ElasticSearch-Kibana] using [1] data paths, mounts [[/ (/dev/sda3)]], net usable_space [33.5gb], net total_space [48.4gb], types [ext4]
[2022-08-24T10:49:23,156][INFO ][o.e.e.NodeEnvironment    ] [ElasticSearch-Kibana] heap size [3.8gb], compressed ordinary object pointers [true]
[2022-08-24T10:49:23,163][INFO ][o.e.n.Node               ] [ElasticSearch-Kibana] node name [ElasticSearch-Kibana], node ID [irxskwwXQgGOJbTgO_Ob8A], cluster name [Dorad-IT], roles [data_cold, data, remote_cluster_client, master, data_warm, data_content, transform, data_hot, ml, data_frozen, ingest]
[2022-08-24T10:49:25,588][ERROR][o.e.b.Bootstrap          ] [ElasticSearch-Kibana] Exception
org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured [PKCS12] keystore (as a truststore) [/etc/elasticsearch/elastic-certificates.p12] - this is usually caused by an incorrect password; (a keystore password was provided)
	at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:605) ~[?:?]
	at java.util.HashMap.forEach(HashMap.java:1421) ~[?:?]
	at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1553) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.loadSslConfigurations(SSLService.java:601) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:156) ~[?:?]
	at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:461) ~[?:?]
	at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:310) ~[?:?]
	at org.elasticsearch.node.Node.lambda$new$14(Node.java:668) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.plugins.PluginsService.lambda$flatMap$0(PluginsService.java:235) ~[elasticsearch-8.3.3.jar:?]
	at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273) ~[?:?]
	at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) ~[?:?]
	at java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:720) ~[?:?]
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) ~[?:?]
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) ~[?:?]
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:575) ~[?:?]
	at java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:260) ~[?:?]
	at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:616) ~[?:?]
	at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:622) ~[?:?]
	at java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:627) ~[?:?]
	at org.elasticsearch.node.Node.<init>(Node.java:681) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.node.Node.<init>(Node.java:300) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:230) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:230) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) [elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:224) [elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:67) [elasticsearch-8.3.3.jar:?]
Caused by: org.elasticsearch.common.ssl.SslConfigException: cannot read configured [PKCS12] keystore (as a truststore) [/etc/elasticsearch/elastic-certificates.p12] - this is usually caused by an incorrect password; (a keystore password was provided)
	at org.elasticsearch.common.ssl.SslFileUtil.ioException(SslFileUtil.java:56) ~[?:?]
	at org.elasticsearch.common.ssl.StoreTrustConfig.readKeyStore(StoreTrustConfig.java:98) ~[?:?]
	at org.elasticsearch.common.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:82) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:473) ~[?:?]
	at java.util.HashMap.computeIfAbsent(HashMap.java:1220) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:603) ~[?:?]
	... 25 more
Caused by: java.io.IOException: keystore password was incorrect
	at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2158) ~[?:?]
	at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:226) ~[?:?]
	at java.security.KeyStore.load(KeyStore.java:1503) ~[?:?]
	at org.elasticsearch.common.ssl.KeyStoreUtil.readKeyStore(KeyStoreUtil.java:72) ~[?:?]
	at org.elasticsearch.common.ssl.StoreTrustConfig.readKeyStore(StoreTrustConfig.java:94) ~[?:?]
	at org.elasticsearch.common.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:82) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:473) ~[?:?]
	at java.util.HashMap.computeIfAbsent(HashMap.java:1220) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:603) ~[?:?]
	... 25 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
	at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2158) ~[?:?]
	at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:226) ~[?:?]
	at java.security.KeyStore.load(KeyStore.java:1503) ~[?:?]
	at org.elasticsearch.common.ssl.KeyStoreUtil.readKeyStore(KeyStoreUtil.java:72) ~[?:?]
	at org.elasticsearch.common.ssl.StoreTrustConfig.readKeyStore(StoreTrustConfig.java:94) ~[?:?]
	at org.elasticsearch.common.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:82) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:473) ~[?:?]
	at java.util.HashMap.computeIfAbsent(HashMap.java:1220) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:603) ~[?:?]
	... 25 more
[2022-08-24T10:49:25,596][ERROR][o.e.b.Elasticsearch      ] [ElasticSearch-Kibana] fatal exception while booting Elasticsearch
org.elasticsearch.bootstrap.StartupException: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured [PKCS12] keystore (as a truststore) [/etc/elasticsearch/elastic-certificates.p12] - this is usually caused by an incorrect password; (a keystore password was provided)
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:228) [elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:67) [elasticsearch-8.3.3.jar:?]
Caused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured [PKCS12] keystore (as a truststore) [/etc/elasticsearch/elastic-certificates.p12] - this is usually caused by an incorrect password; (a keystore password was provided)
	at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:605) ~[?:?]
	at java.util.HashMap.forEach(HashMap.java:1421) ~[?:?]
	at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1553) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.loadSslConfigurations(SSLService.java:601) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:156) ~[?:?]
	at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:461) ~[?:?]
	at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:310) ~[?:?]
	at org.elasticsearch.node.Node.lambda$new$14(Node.java:668) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.plugins.PluginsService.lambda$flatMap$0(PluginsService.java:235) ~[elasticsearch-8.3.3.jar:?]
	at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273) ~[?:?]
	at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) ~[?:?]
	at java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:720) ~[?:?]
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) ~[?:?]
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) ~[?:?]
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:575) ~[?:?]
	at java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:260) ~[?:?]
	at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:616) ~[?:?]
	at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:622) ~[?:?]
	at java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:627) ~[?:?]
	at org.elasticsearch.node.Node.<init>(Node.java:681) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.node.Node.<init>(Node.java:300) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:230) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:230) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:224) ~[elasticsearch-8.3.3.jar:?]
	... 1 more
Caused by: org.elasticsearch.common.ssl.SslConfigException: cannot read configured [PKCS12] keystore (as a truststore) [/etc/elasticsearch/elastic-certificates.p12] - this is usually caused by an incorrect password; (a keystore password was provided)
	at org.elasticsearch.common.ssl.SslFileUtil.ioException(SslFileUtil.java:56) ~[?:?]
	at org.elasticsearch.common.ssl.StoreTrustConfig.readKeyStore(StoreTrustConfig.java:98) ~[?:?]
	at org.elasticsearch.common.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:82) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:473) ~[?:?]
	at java.util.HashMap.computeIfAbsent(HashMap.java:1220) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:603) ~[?:?]
	at java.util.HashMap.forEach(HashMap.java:1421) ~[?:?]
	at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1553) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.loadSslConfigurations(SSLService.java:601) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:156) ~[?:?]
	at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:461) ~[?:?]
	at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:310) ~[?:?]
	at org.elasticsearch.node.Node.lambda$new$14(Node.java:668) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.plugins.PluginsService.lambda$flatMap$0(PluginsService.java:235) ~[elasticsearch-8.3.3.jar:?]
	at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273) ~[?:?]
	at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) ~[?:?]
	at java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:720) ~[?:?]
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) ~[?:?]
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) ~[?:?]
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:575) ~[?:?]
	at java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:260) ~[?:?]
	at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:616) ~[?:?]
	at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:622) ~[?:?]
	at java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:627) ~[?:?]
	at org.elasticsearch.node.Node.<init>(Node.java:681) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.node.Node.<init>(Node.java:300) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:230) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:230) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:224) ~[elasticsearch-8.3.3.jar:?]
	... 1 more
Caused by: java.io.IOException: keystore password was incorrect
	at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2158) ~[?:?]
	at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:226) ~[?:?]
	at java.security.KeyStore.load(KeyStore.java:1503) ~[?:?]
	at org.elasticsearch.common.ssl.KeyStoreUtil.readKeyStore(KeyStoreUtil.java:72) ~[?:?]
	at org.elasticsearch.common.ssl.StoreTrustConfig.readKeyStore(StoreTrustConfig.java:94) ~[?:?]
	at org.elasticsearch.common.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:82) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:473) ~[?:?]
	at java.util.HashMap.computeIfAbsent(HashMap.java:1220) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:603) ~[?:?]
	at java.util.HashMap.forEach(HashMap.java:1421) ~[?:?]
	at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1553) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.loadSslConfigurations(SSLService.java:601) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:156) ~[?:?]
	at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:461) ~[?:?]
	at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:310) ~[?:?]
	at org.elasticsearch.node.Node.lambda$new$14(Node.java:668) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.plugins.PluginsService.lambda$flatMap$0(PluginsService.java:235) ~[elasticsearch-8.3.3.jar:?]
	at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273) ~[?:?]
	at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) ~[?:?]
	at java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:720) ~[?:?]
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) ~[?:?]
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) ~[?:?]
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:575) ~[?:?]
	at java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:260) ~[?:?]
	at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:616) ~[?:?]
	at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:622) ~[?:?]
	at java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:627) ~[?:?]
	at org.elasticsearch.node.Node.<init>(Node.java:681) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.node.Node.<init>(Node.java:300) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:230) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:230) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:224) ~[elasticsearch-8.3.3.jar:?]
	... 1 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
	at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2158) ~[?:?]
	at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:226) ~[?:?]
	at java.security.KeyStore.load(KeyStore.java:1503) ~[?:?]
	at org.elasticsearch.common.ssl.KeyStoreUtil.readKeyStore(KeyStoreUtil.java:72) ~[?:?]
	at org.elasticsearch.common.ssl.StoreTrustConfig.readKeyStore(StoreTrustConfig.java:94) ~[?:?]
	at org.elasticsearch.common.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:82) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:473) ~[?:?]
	at java.util.HashMap.computeIfAbsent(HashMap.java:1220) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:603) ~[?:?]
	at java.util.HashMap.forEach(HashMap.java:1421) ~[?:?]
	at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1553) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.loadSslConfigurations(SSLService.java:601) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:156) ~[?:?]
	at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:461) ~[?:?]
	at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:310) ~[?:?]
	at org.elasticsearch.node.Node.lambda$new$14(Node.java:668) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.plugins.PluginsService.lambda$flatMap$0(PluginsService.java:235) ~[elasticsearch-8.3.3.jar:?]
	at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273) ~[?:?]
	at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) ~[?:?]
	at java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:720) ~[?:?]
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) ~[?:?]
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) ~[?:?]
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:575) ~[?:?]
	at java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:260) ~[?:?]
	at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:616) ~[?:?]
	at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:622) ~[?:?]
	at java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:627) ~[?:?]
	at org.elasticsearch.node.Node.<init>(Node.java:681) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.node.Node.<init>(Node.java:300) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:230) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:230) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-8.3.3.jar:?]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:224) ~[elasticsearch-8.3.3.jar:?]
	... 1 more

I really don't know what I miss in this configuration.
Please assist.
Thanks

Yang_Wang · August 25, 2022, 9:33am

The configuration and error do not match. It seems you haven't configure any password for keystore/truststore used for the HTTP interface. Even though underlyingly it is the same file, you need to configure it separately.

RonH8 · August 25, 2022, 9:34am

Using @Yang_Wang suggestion, I figured that I've missed 2 commands:

./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
SAME password was entered
./bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password
SAME password was entered

system · September 22, 2022, 9:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.