Hello,
I'm setting up a 6.1.2 windows cluster and have a gold license. This is the first machine in the cluster so I have generated a CA cert with a password and placed it in the config directory.
relevant keys from the elasticsearch.yml file:
xpack.ssl.keystore.path: elastic-stack-test-ca.p12
xpack.ssl.truststore.path: elastic-stack-test-ca.p12
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.http.ssl.enabled: true
I have run through the docs and am currenlty trying to complete step 7
Unfortunately this command "Elasticsearch\6.1.2\bin\x-pack\setup-passwords auto" is throwing an exception.
Exception:
Exception in thread "main" ElasticsearchException[failed to initialize a TrustManagerFactory]; nested: IOException[keystore password was incorrect]; nested: UnrecoverableKeyException[failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded];
at org.elasticsearch.xpack.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:61)
at org.elasticsearch.xpack.ssl.SSLService.createSslContext(SSLService.java:408)
at org.elasticsearch.xpack.ssl.SSLService.loadSSLConfigurations(SSLService.java:444)
at org.elasticsearch.xpack.ssl.SSLService.(SSLService.java:87)
at org.elasticsearch.xpack.security.authc.esnative.tool.CommandLineHttpClient.postURL(CommandLineHttpClient.java:91)
at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$SetupCommand.checkElasticKeystorePasswordValid(SetupPasswordTool.java:278)
at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$AutoSetup.execute(SetupPasswordTool.java:127)
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:75)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.Command.main(Command.java:90)
at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool.main(SetupPasswordTool.java:105)
Caused by: java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.elasticsearch.xpack.ssl.CertUtils.readKeyStore(CertUtils.java:230)
at org.elasticsearch.xpack.ssl.CertUtils.trustManager(CertUtils.java:221)
at org.elasticsearch.xpack.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:59)
I don't see anywhere in the Set Passwords Command where you pass the password for the keystore.
Hoping someone can shed some light on what I might be doing wrong, or my next steps.
UPDATE
I've taken a step back and started at the basics by reading this blog post.
I did start out with the latest bits, 6.1.2 on a windows enterprise 10 machine, but aside from that the steps were followed to the letter. Note that I am using cmder with terminals, node1 term, node2 term, and issuing the command in term3 (C:\tmp\cert_blog\elasticsearch-6.1.2)
Both nodes came up and the logs looked good, but when trying to issue this command (again in term3):
C:\tmp\cert_blog\elasticsearch-6.1.2
λ bin\x-pack\setup-passwords auto -u "https://node1.local:9200"
the response is
SSL connection to https://node1.local:9200/_xpack/security/_authenticate?pretty failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Please check the elasticsearch SSL settings under xpack.security.http.ssl.
ERROR: Failed to establish SSL connection to elasticsearch at https://node1.local:9200/_xpack/security/_authenticate?pretty.
here are the nodes ymal files:
node.name: node1
network.host: node1.local
xpack.ssl.key: certs\node1.key
xpack.ssl.certificate: certs\node1.crt
xpack.ssl.certificate_authorities: certs\ca.crt
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.enabled: true
discovery.zen.ping.unicast.hosts: [ 'node1.local', 'node2.local']
node.max_local_storage_nodes: 2
node.name: node2
network.host: node2.local
xpack.ssl.key: certs\node2.key
xpack.ssl.certificate: certs\node2.crt
xpack.ssl.certificate_authorities: certs\ca.crt
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.enabled: true
discovery.zen.ping.unicast.hosts: [ 'node1.local', 'node2.local']
node.max_local_storage_nodes: 2
paths to the certs:
C:\tmp\cert_blog\elasticsearch-6.1.2\config\certs
ca.crt
node1.crt
node1.key
C:\tmp\cert_blog\elasticsearch-6.1.2\config2\certs
ca.crt
node2.crt
node2.key
I feel much more confident about where I am in this process versus the first one at the beginning of this post. Do I need to install the ca into windows so that cmder can issue the commands?
Thank you,
Stephen