Xpack.security.transport.ssl setup issue

Hi Team,

Need yours assist to look into below issue, I'm using self hosted Kibana & Elasticsearch as well. But I have an error after I generated the certificates and copy it into the etc/elasticsearch/certs path. And after I configured the elasticsearch.yml file, Elasticsearch were unable to start. Below is my configuration in the elasticsearch.yml and the error logs. Appreciated if you could help on this. Thanks again

elasticsearch.yml

xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
client_authentication: required
keystore.path: certs/elastic-certificates.p12
truststore.path: certs/elastic-certificates.p12

Error logs from journalctl -xeu elasticsearch.service

Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: uncaught exception in thread [main]
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: Likely root cause: java.nio.file.AccessDeniedException: /etc/elasticsearch/certs/ela>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.j>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.jav>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.jav>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystem>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at java.base/java.nio.file.Files.newByteChannel(Files.java:380)
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at java.base/java.nio.file.Files.newByteChannel(Files.java:432)
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at java.base/java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemP>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at java.base/java.nio.file.Files.newInputStream(Files.java:160)
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at org.elasticsearch.common.ssl.KeyStoreUtil.readKeyStore(KeyStoreUtil.java:>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at org.elasticsearch.common.ssl.StoreTrustConfig.readKeyStore(StoreTrustConf>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at org.elasticsearch.common.ssl.StoreTrustConfig.createTrustManager(StoreTru>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.j>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at java.base/java.util.HashMap.computeIfAbsent(HashMap.java:1220)
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at java.base/java.util.HashMap.forEach(HashMap.java:1421)
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at java.base/java.util.Collections$UnmodifiableMap.forEach(Collections.java:>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at org.elasticsearch.xpack.core.ssl.SSLService.loadSslConfigurations(SSLServ>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at org.elasticsearch.xpack.core.ssl.SSLService.(SSLService.java:156)
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.jav>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.jav>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at org.elasticsearch.node.Node.lambda$new$16(Node.java:662)
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(Array>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.jav>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipel>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOp>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.jav>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.ja>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at org.elasticsearch.node.Node.(Node.java:676)
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: at org.elasticsearch.node.Node.(Node.java:277)
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: <<>>
Sep 06 14:31:54 kibana-virtual-machine systemd-entrypoint[7328]: For complete error details, refer to the log at /var/log/elasticsearch/mims-lab.log
Sep 06 14:31:54 kibana-virtual-machine systemd[1]: elasticsearch.service: Main process exited, code=exited, status=1/FAILURE

This should be like:

xpack.security.transport.ssl.enabled: true
1 Like

Please format your code/logs/config using the </> button, or markdown style back ticks. It helps to make things easy to read which helps us help you :slight_smile:

Check that as well please.

Hi Sir,

Thanks for your replied, I think I've solved the issue of the certs. But there another outcome issue after that-
(Likely root cause: java.nio.file.AccessDeniedException: /etc/elasticsearch/elasticsearch.keystore.tmp)

I'm not really familiar on this, appreciate if you could help on this. Would like to let you know I'm configuring the alerting and action settings in Kibana, but unfortunately I've encountered some of the errors.

Thanks again