Workplace search using SSL with Elasticsearch invalid key error

ylasri · September 25, 2020, 2:53pm

I am trying to connect Workplace search to a secured elasticsearch cluster
The es cluster is secured using TLS at the http & transport level ( i used bin\elasticsearch-certutil cert --keep-ca-key --pem --in instance.yml --out certs.zip)

So elasticsearch.yml looks like this

discovery.type: single-node
xpack.security.enabled: true
xpack.security.authc.api_key.enabled: true

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: certs_ssl/node01/node01.key
xpack.security.http.ssl.certificate: certs_ssl/node01/node01.crt
xpack.security.http.ssl.certificate_authorities: certs_ssl/ca/ca.crt

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: certs_ssl/node01/node01.key
xpack.security.transport.ssl.certificate: certs_ssl/node01/node01.crt
xpack.security.transport.ssl.certificate_authorities: certs_ssl/ca/ca.crt

The same key is used to connect kibana to the cluster without any issue.

Now i'm trying to use same ssl key & crt to connect WS to elasticsearch
so my docker-compose for workplace search look like this

environment:
  - elasticsearch.host='https://es_host:9200'
  # Elasticsearch SSL settings:
  - elasticsearch.ssl.enabled=true
  - elasticsearch.ssl.certificate=/opt/certs_ssl/node01/node01.crt
  - elasticsearch.ssl.certificate_authority=/opt/certs_ssl/ca/ca.crt
  - elasticsearch.ssl.key=/opt/certs_ssl/node01/node01.key
  - elasticsearch.ssl.key_passphrase=
  - elasticsearch.ssl.verify=true

But when running WS, i'm getting this error

Attaching to workplace-7.9.2
workplace-7.9.2 | Found java executable in PATH
workplace-7.9.2 | Java version detected: 1.8.0_252 (major version: 8)
workplace-7.9.2 | Enterprise Search is starting...
workplace-7.9.2 |
workplace-7.9.2 | --------------------------------------------------------------------------------
workplace-7.9.2 |
workplace-7.9.2 | Invalid config file (/usr/share/enterprise-search/config/enterprise-search.yml):
workplace-7.9.2 | The setting '#/elasticsearch/ssl/key' is not valid: error reading file '/opt/certs_ssl/node01/node01.key'
workplace-7.9.2 |
workplace-7.9.2 | --------------------------------------------------------------------------------
workplace-7.9.2 |

What format i should use for ssl key ?

Thanks you for your help

Sean_Story · September 25, 2020, 3:32pm

Something isn't lined up between your configuration and your error message. Your docker environment has:
- elasticsearch.ssl.key=/opt/certs_ssl/node01/node01.key

but the error says: The setting '#/elasticsearch/ssl/key' is not valid: error reading file '/opt/certs_ssl/ca/ca.key'

Is it possible that you've accidentally set a path to a key file that does not exist?

ylasri · September 25, 2020, 3:42pm

Sorry, this was just a typo when writing this discussion
here is my docker-compose.yml and the original eror

Attaching to workplace-7.9.2
workplace-7.9.2 | Found java executable in PATH
workplace-7.9.2 | Java version detected: 1.8.0_252 (major version: 8)
workplace-7.9.2 | Enterprise Search is starting...
workplace-7.9.2 |
workplace-7.9.2 | --------------------------------------------------------------------------------
workplace-7.9.2 |
workplace-7.9.2 | Invalid config file (/usr/share/enterprise-search/config/enterprise-search.yml):
workplace-7.9.2 | The setting '#/elasticsearch/ssl/key' is not valid: error reading file '/opt/certs_ssl/node01/node01.key'
workplace-7.9.2 |
workplace-7.9.2 | --------------------------------------------------------------------------------
workplace-7.9.2 |




[root@51-158-22-215]# more docker-compose.yml
version: '3.8'
services:
  workplace:
    image: docker.elastic.co/enterprise-search/enterprise-search:7.9.2
    container_name: workplace-7.9.2
    restart: always
    environment:
      - elasticsearch.host='https://ip_host:9200'
      # Elasticsearch SSL settings:
      - elasticsearch.ssl.enabled=true
      - elasticsearch.ssl.certificate=/opt/certs_ssl/node01/node01.crt
      - elasticsearch.ssl.certificate_authority=/opt/certs_ssl/ca/ca.crt
      - elasticsearch.ssl.key=/opt/certs_ssl/node01/node01.key
      - elasticsearch.ssl.key_passphrase=
      - elasticsearch.ssl.verify=false
      - ent_search.auth.source=standard
      - elasticsearch.username=elastic
      - elasticsearch.password=changeme
      - allow_es_settings_modification=true
      # Use=openssl rand -hex 32
      - secret_management.encryption_keys=['key']
      - secret_session_key=key
      - ent_search.external_url=https://ip:3002
      - ent_search.listen_host=ip
      - ent_search.listen_port=3002
      - email.account.enabled=true
      - email.account.smtp.auth=plain
      - email.account.smtp.starttls.enable=true
      - email.account.smtp.host=smtp.gmail.com
      - email.account.smtp.port=587
      - email.account.smtp.user=from@gmail.com
      - email.account.smtp.password=changeme
      - email.account.email_defaults.from=from@gmail.com
      # Configure TLS/SSL encryption.
      - ent_search.ssl.enabled=true
      - ent_search.ssl.keystore.path=/opt/certs_ssl/node01/node01.key
      - ent_search.ssl.keystore.password=
      #- ent_search.ssl.keystore.key_password=
      #- ent_search.ssl.redirect_http_from_port=
    ports:
      - 3002:3002
    network_mode: "host"

volumes:
  data:
    driver: local

Sean_Story · September 25, 2020, 3:48pm

Ok great. Can you actually ssh into that docker container and validate that there's a file at /opt/certs_ssl/node01/node01.key and that its permissions are such that the Enterprise Search process can read it? The error is literally that Enterprise Search can't do a File.read('/opt/certs_ssl/node01/node01.key').

ylasri · September 25, 2020, 3:55pm

Thanks for the hint, looks like o forgot to map the volume
I added this part into my docker-compose.yml

volumes:
 - /opt/certs_ssl:/opt/certs_ssl

Now it's working

Attaching to workplace-7.9.2
workplace-7.9.2 | Found java executable in PATH
workplace-7.9.2 | Java version detected: 1.8.0_252 (major version: 8)
workplace-7.9.2 | Enterprise Search is starting...
workplace-7.9.2 | [2020-09-25T15:37:50.423+00:00][1][2002][app-server][INFO]: Enterprise Search version=7.9.2, JRuby version=9.2.9.0, Ruby version=2.5.7, Rails version=4.2.11.3
workplace-7.9.2 | [2020-09-25T15:37:51.063+00:00][1][2002][app-server][INFO]: Successfully connected to Elasticsearch
workplace-7.9.2 | [2020-09-25T15:38:03.756+00:00][1][2002][app-server][INFO]: [db_lock] [installation] Status: [Starting] Ensuring migrations tracking index exists
workplace-7.9.2 | [2020-09-25T15:38:03.951+00:00][1][2002][app-server][INFO]: [db_lock] [installation] Status: [Finished] Ensuring migrations tracking index exists
workplace-7.9.2 | [2020-09-25T15:38:04.922+00:00][1][2002][app-server][INFO]: Creating/updating Enterprise Search indices