openjdk version "1.8.0_191"
OpenJDK Runtime Environment (IcedTea 3.10.0) (Alpine 8.191.12-r0)
OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)
-key private/ca.key.pem \ -new -x509 -days 7300 -sha256 -extensions v3_ca \ -out certs/ca.cert.pem
-key intermediate/private/intermediate.key.pem \
-out intermediate/csr/intermediate.csr.pem
-days 3650 -notext -md sha256 \ -in intermediate/csr/intermediate.csr.pem \ -out intermediate/certs/intermediate.cert.pem
certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
ca:
root:
dn: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
keysize: 2048
validityDays: 3650
pkPassword: password
file: root-ca.pem
defaults:
validityDays: 3650
pkPassword: password
nodeOid: "1.2.3.4.5.5"
httpsEnabled: true
nodes:
- name: node1
dn: CN=node1.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
ip: 172.17.0.2
clients:
- name: spock
dn: CN=spock.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
- name: kirk
dn: CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
admin: true
bash-4.4# ls out/
client-certificates.readme node1.key node1_http.key root-ca.pem
kirk.key node1.pem node1_http.pem spock.key
kirk.pem node1_elasticsearch_config_snippet.yml root-ca.key spock.pem
./plugins/search-guard-5/tools/sgadmin.sh --enable-shard-allocation -cert config/kirk.pem -key config/kirk.key -cacert config/root-ca.pem -keypass password
...
Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{X5vEOTP6QkiyQUilzhm_4Q}{localhost}{127.0.0.1:9300}]
ERR: Cannot connect to elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{X5vEOTP6QkiyQUilzhm_4Q}{localhost}{127.0.0.1:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:347)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:245)
at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:59)
at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:366)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:408)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:397)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:724)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.updateSettings(AbstractClient.java:791)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:466)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:115)
http.host: 0.0.0.0
# Uncomment the following lines for a production cluster deployment
#transport.host: 0.0.0.0
#discovery.zen.minimum_master_nodes: 1
######## Start Search Guard Demo Configuration ########
# WARNING: revise all the lines below before you go into production
searchguard.allow_unsafe_democertificates: true
searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=test, C=de
cluster.routing.allocation.disk.threshold_enabled: false
cluster.name: searchguard_demo
network.host: 0.0.0.0
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
######## End Search Guard Demo Configuration ########
Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{JfHlZxdjRiCTHaoP_tU8Tw}{localhost}{127.0.0.1:9300}]
Diagnostic trace written to: /usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin_diag_trace_2019-Mar-08_22-15-21.txt
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Cannot retrieve cluster state due to: None of the configured nodes are available: [{#transport#-1}{JfHlZxdjRiCTHaoP_tU8Tw}{localhost}{127.0.0.1:9300}]. This is not an error, will keep on trying ...
Root cause: NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{JfHlZxdjRiCTHaoP_tU8Tw}{localhost}{127.0.0.1:9300}]] (org.elasticsearch.client.transport.NoNodeAvailableException/org.elasticsearch.client.transport.NoNodeAvailableException)
* Try running sgadmin.sh with -icl (but no -cl) and -nhnv (If thats works you need to check your clustername as well as hostnames in your SSL certificates)
* Make also sure that your keystore or cert is a client certificate (not a node certificate) and configured properly in elasticsearch.yml
* If this is not working, try running sgadmin.sh with --diagnose and see diagnose trace log file)
* Add --accept-red-cluster to allow sgadmin to operate on a red cluster.