Empty file path for searchguard.ssl.transport.pemkey_filepath

[Jorge Martins]

Hi,

I'm getting a Empty file path for searchguard.ssl.transport.pemkey_filepath error even tough I have specified the path on the elasticsearch.yml file.

I'm using a Letsencrypt certificate

Full Error

ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

Trace:

java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:452)

        at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:105)

        at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:103)

        at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:128)

        at org.elasticsearch.client.transport.TransportClient.<init>(TransportClient.java:251)

        at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.<init>(SearchGuardAdmin.java:871)

        at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:435)

        at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

Caused by: java.lang.reflect.InvocationTargetException

        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)

        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)

        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443)

        ... 7 more

Caused by: ElasticsearchException[Empty file path for searchguard.ssl.transport.pemkey_filepath]

        at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.checkPath(DefaultSearchGuardKeyStore.java:701)

        at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.resolve(DefaultSearchGuardKeyStore.java:193)

        at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:282)

        at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:145)

        at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:192)

        at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:182)

        ... 12 more

/etc/elasticsearch/elasticsearch.yml

...

searchguard.ssl.transport.pemkey_filepath: privkey.pem

searchguard.ssl.transport.pemcert_filepath: fullchain.pem

searchguard.ssl.transport.pemtrustedcas_filepath: chain.pem

searchguard.ssl.transport.enforce_hostname_verification: true

...

Elasticsearch version: 6.1.3

Searchguard version: 6.1.3-21.0

Java version: 1.8.0_161

Thank you

[SG]

Can you pls post the startup log of your elasticsearch node?
Maybe /etc/elasticsearch/elasticsearch.yml is not the configuration file which is really used?

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/7ac79510-73ad-40b2-9f10-26e2c3e67aa4%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Jorge Martins]

[2018-02-15T19:08:25,182][INFO ][o.e.n.Node               ] [] initializing ...

[2018-02-15T19:08:25,367][INFO ][o.e.e.NodeEnvironment    ] [6PJrZCB] using [1] data paths, mounts [[/ (/dev/root)]], net usable_space [41.9gb], net total_space [47gb], types [ext4]

[2018-02-15T19:08:25,367][INFO ][o.e.e.NodeEnvironment    ] [6PJrZCB] heap size [1007.3mb], compressed ordinary object pointers [true]

[2018-02-15T19:08:25,499][INFO ][o.e.n.Node               ] node name [6PJrZCB] derived from node ID [6PJrZCByTOyTJ5JBzaeBWA]; set [node.name] to override

[2018-02-15T19:08:25,499][INFO ][o.e.n.Node               ] version[6.1.3], pid[31574], build[af51318/2018-01-26T18:22:55.523Z], OS[Linux/4.14.14-x86_64-linode94/amd64], JVM[Oracle Corporation/Java HotSpot(TM) 64-Bit Server VM/1.8.0_161/25.161-b12]

[2018-02-15T19:08:25,499][INFO ][o.e.n.Node               ] JVM arguments [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/elasticsearch, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/etc/elasticsearch]

[2018-02-15T19:08:27,381][WARN ][c.f.s.SearchGuardPlugin  ] Search Guard plugin installed but disabled. This can expose your configuration (including passwords) to the public.

[2018-02-15T19:08:27,390][INFO ][o.e.p.PluginsService     ] [6PJrZCB] loaded module [aggs-matrix-stats]

[2018-02-15T19:08:27,390][INFO ][o.e.p.PluginsService     ] [6PJrZCB] loaded module [analysis-common]

[2018-02-15T19:08:27,390][INFO ][o.e.p.PluginsService     ] [6PJrZCB] loaded module [ingest-common]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService     ] [6PJrZCB] loaded module [lang-expression]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService     ] [6PJrZCB] loaded module [lang-mustache]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService     ] [6PJrZCB] loaded module [lang-painless]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService     ] [6PJrZCB] loaded module [mapper-extras]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService     ] [6PJrZCB] loaded module [parent-join]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService     ] [6PJrZCB] loaded module [percolator]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService     ] [6PJrZCB] loaded module [reindex]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService     ] [6PJrZCB] loaded module [repository-url]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService     ] [6PJrZCB] loaded module [transport-netty4]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService     ] [6PJrZCB] loaded module [tribe]

[2018-02-15T19:08:27,392][INFO ][o.e.p.PluginsService     ] [6PJrZCB] loaded plugin [search-guard-6]

btw, i'm using the following command I got from the documentation: sudo ./sgadmin.sh -cd ../sgconfig/ -icl -nhnv -cacert root-ca.pem -cert crtfull.pem -key key.pem

I'm not sure about this, because the documentation is not clear, when I do -cd ../sgconfig/ does that also use the elasticsearch.yml.example file on the sgconfig folder? or uses only the sg_*.yml files?

Can that be the error? Do I need to specifie a specific location of the elasticsearch.yml?

[Jochen Kressin]

elasticsearch.yml.example is not touched by sgadmin. In fact, in order for changes to the easticsearch.yml to take effect you have to restart the node.

So just to be clear, when does this exception happen? When you start the node, or when you execute sgadmin?

The log entries you sent indicate that you disabled Search Guard:

[2018-02-15T19:08:27,381][WARN ][c.f.s.SearchGuardPlugin  ] Search Guard plugin installed but disabled. This can expose your configuration (including passwords) to the public.

Is this on purpose?

To examine further we need the *full* elasticsearch log, including startup sequence, and the exception you mentioned above. Ideally, send also your elasticsearch.yaml and the sg_config.yaml you are using.

[Jorge Martins]

The exception happens when I execute sgadmin.

Yes, I disabled Search Guard after I was unable to configure it.

I've attached elasticsearch.log, elasticsearch.yaml and sg_config.yaml

I notice the SSL Problem Received fatal alert: certificate_unknown errors in elasticsearch.log

I'm using certificates created by letsencrypt and followed the searchguard-ssl-config-template.yml example.

If you feel that its better, I can reinstall all again and use you demo installer just to make sure.

Thank you

EDIT: I changes the IP adress on the elasticsearch.log to 000.000.000.00 just to not disclose my IP

[SG]

The root cause is "No subject alternative DNS name matching localhost found."
So i guess you need to set network.host in elasticsearch.yml to your correct hostname (or whatever is in your letsencrypt certs as CN or SAN),
see https://github.com/floragunncom/search-guard/issues/442 and https://groups.google.com/forum/#!searchin/search-guard/subject$20alternative|sort:date/search-guard/ldix18ctTk8/5sCT59chBAAJ

> Am 19.02.2018 um 19:45 schrieb Jorge Martins <jorge....@wemake.pt>:
>
>
> The exception happens when I execute sgadmin.
>
> Yes, I disabled Search Guard after I was unable to configure it.
>
>
> I've attached elasticsearch.log, elasticsearch.yaml and sg_config.yaml
>
>
> I notice the SSL Problem Received fatal alert: certificate_unknown errors in elasticsearch.log
>
> I'm using certificates created by letsencrypt and followed the searchguard-ssl-config-template.yml example.
>
>
>
> If you feel that its better, I can reinstall all again and use you demo installer just to make sure.
>
> Thank you
>
>
>
>
>
>
>

> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/aa5e568a-6795-42c2-8366-ee4f14a3c39e%40googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

> <elasticsearch.log><sg_config.yml><elasticsearch.yml>