Issue Running SGAdmin

367 views
Skip to first unread message

Benjamin Shoemaker

unread,
Aug 10, 2016, 8:43:18 AM8/10/16
to Search Guard
All-
We're attempting to implement SearchGuard.   
We seem to have the SearchGuard-SSL side working pretty well -  if search guard isn't up, we can serve the REST API over HTTPS.

However, as soon as SearchGuard is installed, the API starts complaining that 'Search Guard not initialized (SG11)' ,  and we start seeing '[2016-08-10 02:58:55,677][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized' in the logs.

Other threads have suggested that this is resolved by running the sgadmin script, to initialize the base configuration.

However, when we attempted to run the scripts, we're seeing the following:

 

root@localhost
:/usr/share/elasticsearch/plugins/search-guard-2/tools# sudo ./sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/ -cn SHU -ks /home/ubuntu/search-guard-ssl/example-pki-scripts/node-0-keystore.jks -kspass changeit -ts /etc/elasticsearch/truststore.jks -tspass changeit -nhnv

Connect to localhost:9300

Clustername: SHU

Clusterstate: YELLOW

Number of nodes: 1

Number of data nodes: 1

searchguard index does
not exists, attempt to create it ... done

Populate config from /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/

Will update 'config' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_config.yml

   SUCC
Configuration for 'config' created or updated

Will update 'roles' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles.yml

   SUCC
Configuration for 'roles' created or updated

Will update 'rolesmapping' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml

   SUCC
Configuration for 'rolesmapping' created or updated

Will update 'internalusers' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_internal_users.yml

   SUCC
Configuration for 'internalusers' created or updated

Will update 'actiongroups' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_action_groups.yml

   SUCC
Configuration for 'actiongroups' created or updated

FAIL
: Expected 5 config types for node 66wwVFDqRl-85qwtB3f33Q but got only []

Done with failures

In the logs, all we're seeing is:

[2016-08-10 12:34:23,473][TRACE][com.floragunn.searchguard.auth.BackendRegistry] Headers:

Context:

[cursor, index: 3, key: _sg_ssl_cipher, value: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]=null

[cursor, index: 7, key: _sg_ssl_protocol, value: TLSv1.2]=null


[2016-08-10 12:34:23,474][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized

[2016-08-10 12:41:23,609][ERROR][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction] [Vader] Unable to load all configurations types. Loaded '[]' but should '[config, roles, rolesmapping, internalusers, actiongroups]'  This seems to indicate it needs to be initialized to run the sgadmin script? A catch-22? I imagine I'm doing something incorrect - any thoughts? Thanks! Ben


Benjamin Shoemaker

unread,
Aug 10, 2016, 11:09:40 PM8/10/16
to Search Guard
Additionally, I've upgraded to V5, and can now see that requests are apparently timing out on 9300?

[2016-08-11 03:06:34,383][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Cannot retrieve configuration (first object) due to null (null means timeout)

[2016-08-11 03:06:34,384][WARN ][com.floragunn.searchguard.configuration.ConfigurationLoader] Cannot retrieve configuration (first object) due to timeout



Which is very strange to me, considering the script reports that it can connect over 9300, and I can see that come through in the logs.

Will connect to localhost:9300 ... done

Contacting elasticsearch cluster 'SHU' and wait for YELLOW clusterstate ...

Clustername: SHU

Clusterstate: YELLOW

Number of nodes: 1

Number of data nodes: 1

Search Guard index already exists, so we do not need to create one.


Am I vastly misunderstanding whats going on here?

in...@search-guard.com

unread,
Aug 11, 2016, 4:03:10 AM8/11/16
to Search Guard
Thats sounds strange (you may also look here https://github.com/floragunncom/search-guard/issues/182 ,seems to be related)

Can you provide
- Full elasticsearch logfile on DEBUG level (from elasticsearch start point until sgadmin finished + one or two minutes)
- Full output of sgadmin
- Your elasticsearch.yml
- Operating system and JVM version/vendor

Benjamin Shoemaker

unread,
Aug 11, 2016, 9:12:12 AM8/11/16
to Search Guard
Yep - files are attached.

We're running:

Distributor ID: Ubuntu

Description: Ubuntu 16.04.1 LTS

Release: 16.04

Codename: xenial


openjdk version "1.8.0_91"

OpenJDK Runtime Environment (build 1.8.0_91-8u91-b14-3ubuntu1~16.04.1-b14)

OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)



The SSL Truncation Errors in the log appear when I force-killed sgadmin, so I don't think those are necessarily a symptom.


Its also worth noting that I've tried both the JDK and OpenSSL ssl implementations, and both appear to have the same result.


Thanks!
Ben


On Wednesday, August 10, 2016 at 8:43:18 AM UTC-4, Benjamin Shoemaker wrote:
sgadmin_output.rtf
SHU.log
elasticsearch.yml

in...@search-guard.com

unread,
Aug 11, 2016, 10:21:20 AM8/11/16
to Search Guard

Benjamin Shoemaker

unread,
Aug 11, 2016, 10:58:34 AM8/11/16
to search...@googlegroups.com
Unfortunately, no luck there.       I'm getting 'Generic Error' timeouts, now.

Thank you for the suggestion, though!

-Ben

[2016-08-11 14:56:59,954][ERROR][com.floragunn.searchguard.configuration.ConfigurationLoader] Generic error: ElasticsearchTimeoutException[Timeout waiting for task.]

[2016-08-11 14:56:59,955][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Looking for internalusers

[2016-08-11 14:56:59,955][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Action indices:data/read/get from null/

[2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Context []

[2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Header [_sg_conf_request]

[2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] remote address: null

[2016-08-11 14:57:00,870][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] No issuer alternative names (san) found

[2016-08-11 14:57:00,872][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] Is not an inter cluster request

[2016-08-11 14:57:02,681][ERROR][com.floragunn.searchguard.configuration.ConfigurationLoader] Generic error: ElasticsearchTimeoutException[Timeout waiting for task.]

[2016-08-11 14:57:02,681][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Looking for actiongroups

[2016-08-11 14:57:02,682][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Action indices:data/read/get from null/

[2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Context []

[2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Header [_sg_conf_request]

[2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] remote address: null

[2016-08-11 14:57:05,874][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] No issuer alternative names (san) found





--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d2024bfb-0579-4d54-9790-17d690710ec6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Ben Shoemaker
Programmer/Analyst

bshoe...@setonhill.edu

This document may contain confidential information and is intended solely 
for the use of the addressee. If you received it in error, please contact 
the sender at once and destroy the document. The document may contain 
information subject to restrictions of the Family Educational Rights and 
Privacy and the Gramm-Leach-Bliley Acts. Such information may not be 
disclosed or used in any fashion outside the scope of the service for which 
you are receiving the information.

SG

unread,
Aug 11, 2016, 11:34:27 AM8/11/16
to search...@googlegroups.com
maybe i found something, seems like the node ssl certificate does not have the right san.
How to you generated the certificates?

pls. install: https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.4.6cf-SNAPSHOT/search-guard-2-2.3.4.6cf-20160811.153248-1.zip

and look for debug output like:

[2016-08-11 17:25:01,805][DEBUG][SearchGuardTransportService] Certs count: 4
[2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] 0. CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE X.509
[2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] serial 1
[2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15]
[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] ext [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]
[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] ian null
[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.17, 2.5.29.19, 2.5.29.35, 2.5.29.37]
[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] san [[2, node-0.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]
[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
[2016-08-11 17:25:01,808][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] 1. CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com X.509
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] serial 2
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15, 2.5.29.19]
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] ext null
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] ian null
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.35]
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] san null
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA
[2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] 2. CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com X.509
[2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] serial 1
[2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15, 2.5.29.19]
[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] ext null
[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] ian null
[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.35]
[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] san null
[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] 3. CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE X.509
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] serial 1
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15]
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] ext [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] ian null
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.17, 2.5.29.19, 2.5.29.35, 2.5.29.37]
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] san [[2, node-0.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA
> To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d2024bfb-0579-4d54-9790-17d690710ec6%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Ben Shoemaker
> Programmer/Analyst
> bshoe...@setonhill.edu
>
> This document may contain confidential information and is intended solely
> for the use of the addressee. If you received it in error, please contact
> the sender at once and destroy the document. The document may contain
> information subject to restrictions of the Family Educational Rights and
> Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> disclosed or used in any fashion outside the scope of the service for which
> you are receiving the information.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J_SkderQ75F%3DhTtHvPP11vrO8GSO0-hpXZ8vZgREfzA7A%40mail.gmail.com.

Benjamin Shoemaker

unread,
Aug 11, 2016, 11:58:53 AM8/11/16
to search...@googlegroups.com
I generated the certs with the example.sh script from search-guard-ssl.

Should I be attempting to run the sgadmin.sh script with the 'kirk' certificate, or the node-0 certificate?
I've added both to elasticsearch.yml as valid admin dn's.


An example log is attached (using node-0 keystore)

Thanks,
Ben


> To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d2024bfb-0579-4d54-9790-17d690710ec6%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Ben Shoemaker
> Programmer/Analyst
> bshoe...@setonhill.edu
>
> This document may contain confidential information and is intended solely
> for the use of the addressee. If you received it in error, please contact
> the sender at once and destroy the document. The document may contain
> information subject to restrictions of the Family Educational Rights and
> Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> disclosed or used in any fashion outside the scope of the service for which
> you are receiving the information.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
SHU3.log

SG

unread,
Aug 11, 2016, 12:23:11 PM8/11/16
to search...@googlegroups.com
with the kirk certificate - does this work?
> > To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.
> > To post to this group, send email to search...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d2024bfb-0579-4d54-9790-17d690710ec6%40googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> > --
> > Ben Shoemaker
> > Programmer/Analyst
> > bshoe...@setonhill.edu
> >
> > This document may contain confidential information and is intended solely
> > for the use of the addressee. If you received it in error, please contact
> > the sender at once and destroy the document. The document may contain
> > information subject to restrictions of the Family Educational Rights and
> > Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> > disclosed or used in any fashion outside the scope of the service for which
> > you are receiving the information.
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Search Guard" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> > To post to this group, send email to search...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J_SkderQ75F%3DhTtHvPP11vrO8GSO0-hpXZ8vZgREfzA7A%40mail.gmail.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/E5D45F43-6041-4640-976E-0FAB2EF5EE13%40search-guard.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Ben Shoemaker
> Programmer/Analyst
> bshoe...@setonhill.edu
>
> This document may contain confidential information and is intended solely
> for the use of the addressee. If you received it in error, please contact
> the sender at once and destroy the document. The document may contain
> information subject to restrictions of the Family Educational Rights and
> Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> disclosed or used in any fashion outside the scope of the service for which
> you are receiving the information.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J8t7SdE2TgUtgCsENewQkMyfr-OAXDkdvYstyXhuVZfgw%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
> <SHU3.log>

Benjamin Shoemaker

unread,
Aug 11, 2016, 12:26:20 PM8/11/16
to search...@googlegroups.com
No, the kirk certificate provides the same results, as far as I can tell.

-Ben

> > To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

> > To post to this group, send email to search...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d2024bfb-0579-4d54-9790-17d690710ec6%40googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> > --
> > Ben Shoemaker
> > Programmer/Analyst
> > bshoe...@setonhill.edu
> >
> > This document may contain confidential information and is intended solely
> > for the use of the addressee. If you received it in error, please contact
> > the sender at once and destroy the document. The document may contain
> > information subject to restrictions of the Family Educational Rights and
> > Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> > disclosed or used in any fashion outside the scope of the service for which
> > you are receiving the information.
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Search Guard" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

> > To post to this group, send email to search...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J_SkderQ75F%3DhTtHvPP11vrO8GSO0-hpXZ8vZgREfzA7A%40mail.gmail.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/E5D45F43-6041-4640-976E-0FAB2EF5EE13%40search-guard.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Ben Shoemaker
> Programmer/Analyst
> bshoe...@setonhill.edu
>
> This document may contain confidential information and is intended solely
> for the use of the addressee. If you received it in error, please contact
> the sender at once and destroy the document. The document may contain
> information subject to restrictions of the Family Educational Rights and
> Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> disclosed or used in any fashion outside the scope of the service for which
> you are receiving the information.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

> To post to this group, send email to search...@googlegroups.com.
--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

SG

unread,
Aug 11, 2016, 12:32:02 PM8/11/16
to search...@googlegroups.com
does https://github.com/floragunncom/search-guard/wiki/Search-Guard-Bundle work?

If not can you try using oracle jdk (instead of openjdk)?
> > > To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.
> > > To post to this group, send email to search...@googlegroups.com.
> > > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d2024bfb-0579-4d54-9790-17d690710ec6%40googlegroups.com.
> > > For more options, visit https://groups.google.com/d/optout.
> > >
> > >
> > >
> > > --
> > > Ben Shoemaker
> > > Programmer/Analyst
> > > bshoe...@setonhill.edu
> > >
> > > This document may contain confidential information and is intended solely
> > > for the use of the addressee. If you received it in error, please contact
> > > the sender at once and destroy the document. The document may contain
> > > information subject to restrictions of the Family Educational Rights and
> > > Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> > > disclosed or used in any fashion outside the scope of the service for which
> > > you are receiving the information.
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups "Search Guard" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> > > To post to this group, send email to search...@googlegroups.com.
> > > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J_SkderQ75F%3DhTtHvPP11vrO8GSO0-hpXZ8vZgREfzA7A%40mail.gmail.com.
> > > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> > You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
> > To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
> > To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.
> > To post to this group, send email to search...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/E5D45F43-6041-4640-976E-0FAB2EF5EE13%40search-guard.com.
> > For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> > --
> > Ben Shoemaker
> > Programmer/Analyst
> > bshoe...@setonhill.edu
> >
> > This document may contain confidential information and is intended solely
> > for the use of the addressee. If you received it in error, please contact
> > the sender at once and destroy the document. The document may contain
> > information subject to restrictions of the Family Educational Rights and
> > Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> > disclosed or used in any fashion outside the scope of the service for which
> > you are receiving the information.
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Search Guard" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> > To post to this group, send email to search...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J8t7SdE2TgUtgCsENewQkMyfr-OAXDkdvYstyXhuVZfgw%40mail.gmail.com.
> > For more options, visit https://groups.google.com/d/optout.
> > <SHU3.log>
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8681BB90-7456-4234-8884-6528D2028B3B%40search-guard.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Ben Shoemaker
> Programmer/Analyst
> bshoe...@setonhill.edu
>
> This document may contain confidential information and is intended solely
> for the use of the addressee. If you received it in error, please contact
> the sender at once and destroy the document. The document may contain
> information subject to restrictions of the Family Educational Rights and
> Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> disclosed or used in any fashion outside the scope of the service for which
> you are receiving the information.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J9eDSPckjpnCz1K1i2fQGCZiVzTgFEUVpsEumivncOy_Q%40mail.gmail.com.

Benjamin Shoemaker

unread,
Aug 12, 2016, 9:27:10 AM8/12/16
to search...@googlegroups.com
No luck.
I tried the search guard bundle, and then Oracle JDK w/ search guard bundle, and got the same results.

It makes me think there is some sort of network issue going on.
Is there a list of ports that need to be available?  I had assumed just 9200 & 9300?
Is there a supported java version?

-Ben

-Ben

> > > To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

> > > To post to this group, send email to search...@googlegroups.com.
> > > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d2024bfb-0579-4d54-9790-17d690710ec6%40googlegroups.com.
> > > For more options, visit https://groups.google.com/d/optout.
> > >
> > >
> > >
> > > --
> > > Ben Shoemaker
> > > Programmer/Analyst
> > > bshoe...@setonhill.edu
> > >
> > > This document may contain confidential information and is intended solely
> > > for the use of the addressee. If you received it in error, please contact
> > > the sender at once and destroy the document. The document may contain
> > > information subject to restrictions of the Family Educational Rights and
> > > Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> > > disclosed or used in any fashion outside the scope of the service for which
> > > you are receiving the information.
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups "Search Guard" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

> > > To post to this group, send email to search...@googlegroups.com.
> > > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J_SkderQ75F%3DhTtHvPP11vrO8GSO0-hpXZ8vZgREfzA7A%40mail.gmail.com.
> > > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> > You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
> > To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
> > To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

> > To post to this group, send email to search...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/E5D45F43-6041-4640-976E-0FAB2EF5EE13%40search-guard.com.
> > For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> > --
> > Ben Shoemaker
> > Programmer/Analyst
> > bshoe...@setonhill.edu
> >
> > This document may contain confidential information and is intended solely
> > for the use of the addressee. If you received it in error, please contact
> > the sender at once and destroy the document. The document may contain
> > information subject to restrictions of the Family Educational Rights and
> > Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> > disclosed or used in any fashion outside the scope of the service for which
> > you are receiving the information.
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Search Guard" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

> > To post to this group, send email to search...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J8t7SdE2TgUtgCsENewQkMyfr-OAXDkdvYstyXhuVZfgw%40mail.gmail.com.
> > For more options, visit https://groups.google.com/d/optout.
> > <SHU3.log>
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8681BB90-7456-4234-8884-6528D2028B3B%40search-guard.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Ben Shoemaker
> Programmer/Analyst
> bshoe...@setonhill.edu
>
> This document may contain confidential information and is intended solely
> for the use of the addressee. If you received it in error, please contact
> the sender at once and destroy the document. The document may contain
> information subject to restrictions of the Family Educational Rights and
> Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> disclosed or used in any fashion outside the scope of the service for which
> you are receiving the information.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

> To post to this group, send email to search...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

SG

unread,
Aug 13, 2016, 5:31:06 PM8/13/16
to search...@googlegroups.com
Just to be sure: The search guard bundle worked or not?

Regarding network: 9200 and 9300 is normally ok but from the logs i saw you that you only one node?

Regarding JVM: Best one is Oracle Java 8
> > > > To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.
> > > > To post to this group, send email to search...@googlegroups.com.
> > > > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d2024bfb-0579-4d54-9790-17d690710ec6%40googlegroups.com.
> > > > For more options, visit https://groups.google.com/d/optout.
> > > >
> > > >
> > > >
> > > > --
> > > > Ben Shoemaker
> > > > Programmer/Analyst
> > > > bshoe...@setonhill.edu
> > > >
> > > > This document may contain confidential information and is intended solely
> > > > for the use of the addressee. If you received it in error, please contact
> > > > the sender at once and destroy the document. The document may contain
> > > > information subject to restrictions of the Family Educational Rights and
> > > > Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> > > > disclosed or used in any fashion outside the scope of the service for which
> > > > you are receiving the information.
> > > >
> > > > --
> > > > You received this message because you are subscribed to the Google Groups "Search Guard" group.
> > > > To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> > > > To post to this group, send email to search...@googlegroups.com.
> > > > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J_SkderQ75F%3DhTtHvPP11vrO8GSO0-hpXZ8vZgREfzA7A%40mail.gmail.com.
> > > > For more options, visit https://groups.google.com/d/optout.
> > >
> > > --
> > > You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
> > > To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
> > > To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.
> > > To post to this group, send email to search...@googlegroups.com.
> > > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/E5D45F43-6041-4640-976E-0FAB2EF5EE13%40search-guard.com.
> > > For more options, visit https://groups.google.com/d/optout.
> > >
> > >
> > >
> > > --
> > > Ben Shoemaker
> > > Programmer/Analyst
> > > bshoe...@setonhill.edu
> > >
> > > This document may contain confidential information and is intended solely
> > > for the use of the addressee. If you received it in error, please contact
> > > the sender at once and destroy the document. The document may contain
> > > information subject to restrictions of the Family Educational Rights and
> > > Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> > > disclosed or used in any fashion outside the scope of the service for which
> > > you are receiving the information.
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups "Search Guard" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> > > To post to this group, send email to search...@googlegroups.com.
> > > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J8t7SdE2TgUtgCsENewQkMyfr-OAXDkdvYstyXhuVZfgw%40mail.gmail.com.
> > > For more options, visit https://groups.google.com/d/optout.
> > > <SHU3.log>
> >
> > --
> > You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
> > To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
> > To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.
> > To post to this group, send email to search...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8681BB90-7456-4234-8884-6528D2028B3B%40search-guard.com.
> > For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> > --
> > Ben Shoemaker
> > Programmer/Analyst
> > bshoe...@setonhill.edu
> >
> > This document may contain confidential information and is intended solely
> > for the use of the addressee. If you received it in error, please contact
> > the sender at once and destroy the document. The document may contain
> > information subject to restrictions of the Family Educational Rights and
> > Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> > disclosed or used in any fashion outside the scope of the service for which
> > you are receiving the information.
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Search Guard" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> > To post to this group, send email to search...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J9eDSPckjpnCz1K1i2fQGCZiVzTgFEUVpsEumivncOy_Q%40mail.gmail.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/629B1A96-6E47-4393-9641-E70A884A10BC%40search-guard.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Ben Shoemaker
> Programmer/Analyst
> bshoe...@setonhill.edu
>
> This document may contain confidential information and is intended solely
> for the use of the addressee. If you received it in error, please contact
> the sender at once and destroy the document. The document may contain
> information subject to restrictions of the Family Educational Rights and
> Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> disclosed or used in any fashion outside the scope of the service for which
> you are receiving the information.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J_kbgucDk%3DuXk1M4PAZ0K4QwqEXpKas6V83zDD9KZMdBg%40mail.gmail.com.
Message has been deleted

Girish Patil

unread,
Aug 15, 2016, 3:39:27 AM8/15/16
to Search Guard

Getting the error - [2016-08-15 07:35:58,101][WARN ][com.floragunn.searchguard.configuration.ConfigurationLoader] Cannot retrieve configuration (2 object) due to timeout

anyone managed to fix this ?

John Bakker

unread,
Aug 15, 2016, 3:42:57 AM8/15/16
to Search Guard
No, Having exactly the same behavior.

I'm putting my updates in https://github.com/floragunncom/search-guard/issues/142#issuecomment-236005509 

Op maandag 15 augustus 2016 09:39:27 UTC+2 schreef Girish Patil:

Benjamin Shoemaker

unread,
Aug 15, 2016, 7:55:48 AM8/15/16
to search...@googlegroups.com
Interestingly, I was able to solve my issue - no idea at root cause, though.

Initially, I was building a box on Amazon, and experiencing the timeouts, even though I certainly had security rules allowing 9200 & 9300.
As a last-ditch attempt, I built a box on our on-prem hosting with the same OS version, and everything worked flawlessly the first time through.
I imagine it was some sort of network-related glitch that I was missing, but I don't know precisely what - I checked everything I could think of.

-Ben

--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

bri...@fit-pay.com

unread,
Aug 15, 2016, 1:20:51 PM8/15/16
to Search Guard
Ben, do you have the 'cloud-aws' ES plugin installed ?
My understanding is this is a requirement for 9300 discovery to work within AWS.
With it installed auto-discovery works fine for me with 3+ EC2 instances/nodes.

thanks,
brian


On Monday, August 15, 2016 at 5:55:48 AM UTC-6, Benjamin Shoemaker wrote:
Interestingly, I was able to solve my issue - no idea at root cause, though.

Initially, I was building a box on Amazon, and experiencing the timeouts, even though I certainly had security rules allowing 9200 & 9300.
As a last-ditch attempt, I built a box on our on-prem hosting with the same OS version, and everything worked flawlessly the first time through.
I imagine it was some sort of network-related glitch that I was missing, but I don't know precisely what - I checked everything I could think of.

-Ben
On Mon, Aug 15, 2016 at 3:42 AM, John Bakker <johnb...@gmail.com> wrote:
No, Having exactly the same behavior.

I'm putting my updates in https://github.com/floragunncom/search-guard/issues/142#issuecomment-236005509 

Op maandag 15 augustus 2016 09:39:27 UTC+2 schreef Girish Patil:

Getting the error - [2016-08-15 07:35:58,101][WARN ][com.floragunn.searchguard.configuration.ConfigurationLoader] Cannot retrieve configuration (2 object) due to timeout

anyone managed to fix this ?

--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

Girish Patil

unread,
Aug 15, 2016, 8:53:39 PM8/15/16
to Search Guard
I installed the "cloud-aws" plugin but still have the same issue on aws. I can run the searhgaurd bundle in local environment but not on cloud

bri...@fit-pay.com

unread,
Aug 16, 2016, 1:11:01 PM8/16/16
to Search Guard
It works in AWS for sure... maybe confirm your security groups allow ES default ports 9200 (data) and 9300 (discovery)... and that
you can reach them from each other. I ran sgadmin locally and it updated that node and there was a little propagation delay to the other nodes.
Basically I got one node working in ES with sgadmin and then a bit later the other nodes were happy as well once the index propagated.

Overall, I got ES setup and working before installing SG SSL. 
Once SG SSL was working and TLS enabled between ES nodes I installed SG and ran sgadmin.  
One problem I saw is that sgadmin didn't run correctly the first time. 
I had to restart ES and re-run sgadmin... and it stopped logging that 'environment not found message'.

So my advice... keep bouncing es and reload the SG plugin a few times. 
Once the SG index that sgadmin creates is in ES and available on all nodes everything seems to behave perfectly on startup/shutdown. 
Reply all
Reply to author
Forward
0 new messages