X-Pack attempts to load ca-bundle.crt and ca-bundle.trust.crt despite not being configured to do so

Michael_Ihde · January 24, 2018, 11:03pm

I'm using ElasticSearch 5.5.2 within Docker (from the official images) and trying to setup the SSL configuration. I've set:

xpack.ssl.key=/usr/share/elasticsearch/config/tls/private/server.key    
xpack.ssl.certificate=/usr/share/elasticsearch/config/tls/certs/server.crt
xpack.ssl.certificate_authorities=/usr/share/elasticsearch/config/tls/certs/trusted_certs.crt

And then volume mounts my host /etc/pki/tls in Docker with:

-v /etc/pki/tls:/usr/share/elasticsearch/config/tls:ro

So far so good. But when I start up the node I get errors from SSLConfigurationReloader.java:76 because it's trying to access /usr/share/elasticsearch/config/tls/ca-bundle.crt. This is an error because on my system /etc/pki/tls/certs/ca-bundle.crt is a symlink to another folder (the same with ca-bundle.trust.crt). If I change the symlinks to be a regular file then everything boots correctly.

I'm surprised by this because my configuration does not reference that file anywhere and the documentation that I could find doesn't indicate that this is a default setting. I'd prefer to not have to change configuration of my host system, is there a way to prevent X-Pack from trying to access these two files? If not, for my education, is there a configuration setting that can alter these paths or is X-Pack hardcoded to look for these paths?

TimV · January 24, 2018, 11:36pm

Please provide the content from the actual log files so we can see what's going on.

Michael_Ihde · January 25, 2018, 3:07pm

Here are the relevant parts:

o.e.p.PluginsService loaded plugin [x-pack]
o.e.b.ElasticsearchUncaughtExceptionHandler uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.security.AccessControlException: access denied ("java.io.FilePermission", "/usr/share/elasticsearch/config/tls/certs/ca-bundle.crt", "read')
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:127)
    at org.elasticsearch.bootstrap.Elasticserach.execute(Elasticsearch.java:114)
    ...
Caused by java.security.AccessControlException: access denied ("java.io.FilePermission", "/usr/share/elasticsearch/config/tls/certs/ca-bundle.crt", "read')
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
    ...
    at org.elasticsearch.watcher.FileWatcher$FileObserver.init(FileWatcher.java:157)
    ...
    at org.elasticsearch.watcher.FileWatcher.doInit(FileWatcher.java:65)
    at org.elasticsearch.watcher.AbstractResourceWatcher.init(AbstractResourceWatcher.java:36)
    at org.elasticsearch.watcher.ResourceWatcherService.add(ResourceWatcherService.java:143)
    at org.elasticsearch.xpack.ssl.SSLConfigurationReloader.lambda#startWatching#0(SSLConfigurationReloader.java:6)
    at java.util.concurrent.ConcurrentHashMap.compute(ConcurrentHashMap.java:1853)
    at org.elasticsearch.xpack.ssl.SSLConfigurationReloader.startWatching(SSLConfigurationReloader.java:65)
    at org.elasticsearch.xpack.ssl.SSLConfigurationReloader.<init>(SSLConfigurationReloader.java:55)
    at org.elasticsearch.xpack.XPackPlugin.createComponents(XPackPlugin.java:291)
    at org.elasticsearch.node.Node.lambda$new$7(Node.java:411)
    ....
    at org.elasticsearch.bootstrap.Elasticsearch.inig(Elasticsearch.java:123)
    ...  6 more

system · February 22, 2018, 3:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.