Xpack.security.transport.ssl setup issue

cheching · September 6, 2022, 7:43am

Hi Team,

Need yours assist to look into below issue, I'm using self hosted Kibana & Elasticsearch as well. But I have an error after I generated the certificates and copy it into the etc/elasticsearch/certs path. And after I configured the elasticsearch.yml file, Elasticsearch were unable to start. Below is my configuration in the elasticsearch.yml and the error logs. Appreciated if you could help on this. Thanks again

elasticsearch.yml

xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
client_authentication: required
keystore.path: certs/elastic-certificates.p12
truststore.path: certs/elastic-certificates.p12

Error logs from journalctl -xeu elasticsearch.service

Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Sep 06 14:31:54 kibana-virtual-machine systemd[1]: elasticsearch.service: uncaught exception in thread [main]
org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [>
Likely root cause: java.nio.file.AccessDeniedException: /etc/elasticsearch/certs/ela>
at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.j>
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.jav>
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.jav>
at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystem>
at java.base/java.nio.file.Files.newByteChannel(Files.java:380)
at java.base/java.nio.file.Files.newByteChannel(Files.java:432)
at java.base/java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemP>
at java.base/java.nio.file.Files.newInputStream(Files.java:160)
at org.elasticsearch.common.ssl.KeyStoreUtil.readKeyStore(KeyStoreUtil.java:>
at org.elasticsearch.common.ssl.StoreTrustConfig.readKeyStore(StoreTrustConf>
at org.elasticsearch.common.ssl.StoreTrustConfig.createTrustManager(StoreTru>
at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.j>
at java.base/java.util.HashMap.computeIfAbsent(HashMap.java:1220)
at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$>
at java.base/java.util.HashMap.forEach(HashMap.java:1421)
at java.base/java.util.Collections$UnmodifiableMap.forEach(Collections.java:>
at org.elasticsearch.xpack.core.ssl.SSLService.loadSslConfigurations(SSLServ>
at org.elasticsearch.xpack.core.ssl.SSLService.(SSLService.java:156)
at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.jav>
at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.jav>
at org.elasticsearch.node.Node.lambda$new$16(Node.java:662)
at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline>
at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(Array>
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.jav>
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipel>
at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOp>
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.jav>
at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.ja>
at org.elasticsearch.node.Node.(Node.java:676)
at org.elasticsearch.node.Node.(Node.java:277)
<<>>
For complete error details, refer to the log at /var/log/elasticsearch/mims-lab.log
Main process exited, code=exited, status=1/FAILURE

cheshirecat · September 6, 2022, 7:45am

This should be like:

xpack.security.transport.ssl.enabled: true

warkolm · September 6, 2022, 7:54am

Please format your code/logs/config using the </> button, or markdown style back ticks. It helps to make things easy to read which helps us help you

Check that as well please.

cheching · September 7, 2022, 2:50am

Hi Sir,

Thanks for your replied, I think I've solved the issue of the certs. But there another outcome issue after that-
(Likely root cause: java.nio.file.AccessDeniedException: /etc/elasticsearch/elasticsearch.keystore.tmp)

I'm not really familiar on this, appreciate if you could help on this. Would like to let you know I'm configuring the alerting and action settings in Kibana, but unfortunately I've encountered some of the errors.

Thanks again

system · October 5, 2022, 2:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch startup problemse Elasticsearch elastic-stack-security	6	1413	April 4, 2022
Elastic-search SSL certification error, unable to open kibana Elasticsearch elastic-stack-security	10	8965	September 7, 2019
Elasticsearch failed start when enable x-pack security Elasticsearch elastic-stack-security	13	2435	April 29, 2022
Failed to load SSL configuration [xpack.security.transport.ssl] - the truststore [/etc/elasticsearch/certs/root.p12] does not contain any trusted certificate entries Elasticsearch	3	72	September 19, 2024
ElasticSearch with SSL? Elasticsearch elastic-stack-security	12	21816	November 28, 2019

Xpack.security.transport.ssl setup issue

Related topics