"xpack.security.transport.ssl.truststore.path" "SSL resources should be placed in"

I'm storing my elasticsearch.yml config file and the PKCS#12 certificates in different paths.

ES_PATH_CONF=C:\Repos\DevOps\Elastic\config\elasticsearch\elasticsearch-config

elasticsearch.yml

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: '${ES_CERT_PATH}\${node.name}.p12'
xpack.security.transport.ssl.truststore.path: '${ES_CERT_PATH}\${node.name}.p12'

I get this exception when I start a node:

Caused by: org.elasticsearch.ElasticsearchException: failed to initialize SSL TrustManager - access to read truststore f
ile [C:\elasticstack\certs\node1.p12] is blocked; SSL resources should be placed in the [C:\Repos\DevOps\Elastic
\config\elasticsearch\elasticsearch-config] directory

Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\elasticstack\certs\node1.p1
2" "read")

Is it possible to store the PKCS#12 certificates in a different location than the config path? If so, what other configuration needs to be set to allow access? (If this can be solved by PEM files, that's an acceptable solution as well.)

No, Elasticsearch runs with a security manager enabled, which intentionally prevents the process from having access to other directories.
All certificates and keys need to be somewhere under the config directory.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.