Unable to start elasticsearch after encryption?

security

(Akhilesh Anb) #1

For encryption i followed each and every step. I added the lines into .yml file as show in https://www.elastic.co/guide/en/shield/current/_configure_the_keystores_and_enable_ssl.html

after adding.. im unable to start elasticsearch?
please help me?


(Jay Modi) #2

Hi,

You will need to provide us with more information in order to help you. What happens when you start elasticsearch? what is in your elasticsearch.yml? any exceptions in the log?

-Jay


(Akhilesh Anb) #3

I added these lines in .yml file.

shield.ssl.keystore.path:          /home/es/config/node01.jks 
shield.ssl.keystore.password:      myPass

shield.ssl.truststore.path:          /home/es/config/truststore.jks 
shield.ssl.truststore.password:      myPass

shield.transport.ssl: true

shield.http.ssl: true

discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: ["node01:9300", "node02:9301"]

After adding these to .yml file... elasticsearch service is not starting. Its not showing any error. But, its not starting. ?


(Jay Modi) #4

Are you starting via a init/service script or using "bin/elasticsearch"? Are the keystore and truststore files readable permission wise by the user running elasticsearch?

Nothing is being written in the logs when starting up? If not, the best way to try to figure out what is wrong is to comment out the configuration changes. I'd recommend first commenting out the newly added settings except for the discovery ones. Start elasticsearch and verify it is working. Then try adding in the shield.ssl.keystore settings. Verify that works and keep going.


(Akhilesh Anb) #6

I commented everything except discovery... now its working fine.
If i add those shield lines...its not starting.. why this is happening... ?

please help me..
Thanks in advance...


(Jay Modi) #7

Can you provide answers to all of these questions:

  1. Anything in your log files?
  2. Did you check the file permissions?
  3. Are the passwords/locations correct?

(Akhilesh Anb) #9

Hey now its working... if im commenting out this line

shield.http.ssl: true

If im enabling it also..elasticsearch is started... but, if im accessing localhost:9200 ... im not getting the response.


(Jay Modi) #10

Did you add https to the URL? So https://localhost:9200. Your browser may give certificate warnings


(Akhilesh Anb) #11

Yes.. I got now.. Thanq very much for ur support @jaymode :blush:


(Akhilesh Anb) #12

Now im getting issue regarding kibana...
I pointed elasticsearch url to https://localhost:9200 in kibana.yml ...
Now kibana is not starting.??

It showing me some errors like:

"No living connections","node_env":"production"

Unable to connect to elasticsearch at https://localhost:9200. Retrying in 2.5 seconds.","node_env":"production"

"error","node_env":"production","error":"Request error, retrying -- DEPTH_ZERO_SELF_SIGNED_CERT"}

(Jay Modi) #13

Did you configure Kibana for SSL, specifically the ca parameter? https://www.elastic.co/guide/en/kibana/current/production.html#enabling-ssl


(Akhilesh Anb) #14

yes i have given ... eventhough im not able to start...
Its giving me main error

"error","node_env":"production","error":"Request error, retrying -- DEPTH_ZERO_SELF_SIGNED_CERT"}

(Jay Modi) #15

Is the issuer of your certificate the same as the subject?


(Akhilesh Anb) #16

Sry i didnt get you Jaymode...


(Jay Modi) #17

The certificate that you've created for your elasticsearch instance, has two fields an issuer and a owner. The issuer is the CA that has signed the certificate and the owner/subject the entity that the certificate represents.

Executing keytool -list -v -keystore node01.jks should provide this information. My example shows the following:

Alias name: node01
Creation date: Jun 3, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=Test Node
Issuer: C=NL, ST=Amsterdam, L=Amsterdam, EMAILADDRESS=cacerttest@YOUR.COMPANY.TLD, O=Elasticsearch Test Org

My question to you is whether you have the same owner and issuer in your certificate?


(system) #18