Hey Stephen,
I decided to rebuild the server from scratch in case it was something I did. I reset the password because I forgot to write it down when I installed. You were right, I used the wrong user, when I ran the reset tool on user elastic it worked.
Now:
[root@elastic bin]# ./elasticsearch -V
Version: 8.13.0, Build: rpm/09df99393193b2c53d92899662a8b8b3c55b45cd/2024-03-22T03:35:46.757803203Z, JVM: 22
[root@elastic yum.repos.d]# cd /usr/share/elasticsearch/bin/
[root@elastic bin]# ./elasticsearch -V
Version: 8.13.0, Build: rpm/09df99393193b2c53d92899662a8b8b3c55b45cd/2024-03-22T03:35:46.757803203Z, JVM: 22
[root@elastic bin]# systemctl status elasticsearch.service
● elasticsearch.service - Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; preset: disabled)
Active: active (running) since Mon 2024-04-01 02:08:17 EDT; 8min ago
Docs: https://www.elastic.co
Main PID: 4427 (java)
Tasks: 89 (limit: 48948)
Memory: 4.2G
CPU: 35.650s
CGroup: /system.slice/elasticsearch.service
├─4427 /usr/share/elasticsearch/jdk/bin/java -Xms4m -Xmx64m -XX:+UseSerialGC -Dcli.name=server -Dcli.script=/usr>
├─4487 /usr/share/elasticsearch/jdk/bin/java -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative>
└─4510 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller
Apr 01 02:08:06 elastic systemd[1]: Starting Elasticsearch...
Apr 01 02:08:08 elastic systemd-entrypoint[4427]: Apr 01, 2024 2:08:08 AM sun.util.locale.provider.LocaleProviderAdapter <cli>
Apr 01 02:08:08 elastic systemd-entrypoint[4427]: WARNING: COMPAT locale provider will be removed in a future release
Apr 01 02:08:17 elastic systemd[1]: Started Elasticsearch.
In the instructions it says to make sure elastic is running properly.
root@elastic elasticsearch]# curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elasticsearch:$qvu8npyb+qIVQqvurGML https://localhost:9200
{"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [elasticsearch] for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"unable to authenticate user [elasticsearch] for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401}[root@elastic elasticsearch]#
I did edit the /etc/elasticsearch/elasticsearch.yml file
Here is the changes I made:
cluster.name: elastic
network.host: 192.168.1.20
http.port: 9200
transport.host: 192.168.1.20
Here is running the curl on localhost:
[root@elastic bin]# curl -v -k -u elastic https://localhost:9200
Enter host password for user 'elastic':
* Trying ::1:9200...
* Connected to localhost (::1) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=elastic
* start date: Apr 1 05:59:12 2024 GMT
* expire date: Apr 1 05:59:12 2026 GMT
* issuer: CN=Elasticsearch security auto-configuration HTTP CA
* SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.
* Server auth using Basic with user 'elastic'
* TLSv1.2 (OUT), TLS header, Unknown (23):
> GET / HTTP/1.1
> Host: localhost:9200
> Authorization: Basic ZWxhc3RpYzpWRUlkM2ZxN3ZmUUp1QXlDeFZPUg==
> User-Agent: curl/7.76.1
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Unknown (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< X-elastic-product: Elasticsearch
< content-type: application/json
< content-length: 526
<
{
"name" : "elastic",
"cluster_name" : "elastic",
"cluster_uuid" : "BwUiFOUjRteco5764evKIQ",
"version" : {
"number" : "8.13.0",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "09df99393193b2c53d92899662a8b8b3c55b45cd",
"build_date" : "2024-03-22T03:35:46.757803203Z",
"build_snapshot" : false,
"lucene_version" : "9.10.0",
"minimum_wire_compatibility_version" : "7.17.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "You Know, for Search"
}
* Connection #0 to host localhost left intact
When I run the curl using the ip address:
[root@elastic bin]# curl -v -k -u elastic https://192.168.1.20:9200
Enter host password for user 'elastic':
* Trying 192.168.1.20:9200...
* Connected to 192.168.1.20 (192.168.1.20) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=elastic
* start date: Apr 1 05:59:12 2024 GMT
* expire date: Apr 1 05:59:12 2026 GMT
* issuer: CN=Elasticsearch security auto-configuration HTTP CA
* SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.
* Server auth using Basic with user 'elastic'
* TLSv1.2 (OUT), TLS header, Unknown (23):
> GET / HTTP/1.1
> Host: 192.168.1.20:9200
> Authorization: Basic ZWxhc3RpYzpyb290QGVsYXN0aWMgYmluXSMgY3VybCAtdiAtayAtdSBlbGFzdGljIGh0dHBzOi8vbG9jYWxob3N0OjkyMDA=
> User-Agent: curl/7.76.1
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Unknown (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="security" charset="UTF-8"
< WWW-Authenticate: Bearer realm="security"
< WWW-Authenticate: ApiKey
< content-type: application/json
< content-length: 465
<
* Connection #0 to host 192.168.1.20 left intact
{"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401}[root@elastic bin]#
[root@elastic bin]#
/var/log/elasticsearch/elastic.log
root@elastic elasticsearch]# tail elastic.log
[2024-04-01T02:08:18,863][INFO ][o.e.x.i.a.TransportPutLifecycleAction] [elastic] adding index lifecycle policy [.fleet-file-fromhost-meta-ilm-policy]
[2024-04-01T02:09:03,830][INFO ][o.e.x.s.a.RealmsAuthenticator] [elastic] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
[2024-04-01T02:20:49,973][INFO ][o.e.x.s.a.f.FileUserPasswdStore] [elastic] users file [/etc/elasticsearch/users] changed. updating users...
[2024-04-01T02:20:49,975][INFO ][o.e.x.s.a.f.FileUserRolesStore] [elastic] users roles file [/etc/elasticsearch/users_roles] changed. updating users roles...
[2024-04-01T02:20:54,245][INFO ][o.e.x.s.s.SecurityIndexManager] [elastic] security index does not exist, creating [.security-7] with alias [.security]
[2024-04-01T02:20:54,273][INFO ][o.e.c.m.MetadataCreateIndexService] [elastic] [.security-7] creating index, cause [api], templates [], shards [1]/[0]
[2024-04-01T02:20:54,431][INFO ][o.e.c.r.a.AllocationService] [elastic] current.health="GREEN" message="Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.security-7][0]]])." previous.health="YELLOW" reason="shards started [[.security-7][0]]"
[2024-04-01T02:20:54,977][INFO ][o.e.x.s.a.f.FileUserPasswdStore] [elastic] users file [/etc/elasticsearch/users] changed. updating users...
[2024-04-01T02:20:54,978][INFO ][o.e.x.s.a.f.FileUserRolesStore] [elastic] users roles file [/etc/elasticsearch/users_roles] changed. updating users roles...
[2024-04-01T02:27:28,895][INFO ][o.e.x.s.a.RealmsAuthenticator] [elastic] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
[root@elastic elasticsearch]#
Hope this helps, let me know what else I can add.
-Joe