ElasticsearchException[Cannot recover key] - search-guard-2(2.3.1.0-beta1)
192 views
Skip to first unread message
soporte...@gmail.com
Apr 21, 2016, 12:13:28 PM4/21/16
to Search Guard
I installed on ElasticSearch 2.3.1 the last version of Search Guard: search-guard-2(
the error:
Apr 21 14:56:48 usve77073 elasticsearch: log4j:WARN No appenders could be found for logger (common).
Apr 21 14:56:48 usve77073 elasticsearch: log4j:WARN Please initialize the log4j system properly.
Apr 21 14:56:48 usve77073 elasticsearch: log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
Apr 21 14:56:49 usve77073 elasticsearch: [2016-04-21 14:56:49,228][WARN ][bootstrap ] unable to install syscall filter: seccomp unavailable: CONFIG_SECCOMP not compiled into kernel, CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are needed
Apr 21 14:56:49 usve77073 elasticsearch: [2016-04-21 14:56:49,384][INFO ][node ] [Deathurge] version[2.3.1], pid[12243], build[bd98092/2016-04-04T12:
2.3.1.0-beta1) and search-guard-ssl(2.3.1.8.1)
the error:
Apr 21 14:56:48 usve77073 elasticsearch: log4j:WARN No appenders could be found for logger (common).
Apr 21 14:56:48 usve77073 elasticsearch: log4j:WARN Please initialize the log4j system properly.
Apr 21 14:56:48 usve77073 elasticsearch: log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
Apr 21 14:56:49 usve77073 elasticsearch: [2016-04-21 14:56:49,228][WARN ][bootstrap ] unable to install syscall filter: seccomp unavailable: CONFIG_SECCOMP not compiled into kernel, CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are needed
Apr 21 14:56:49 usve77073 elasticsearch: [2016-04-21 14:56:49,384][INFO ][node ] [Deathurge] version[2.3.1], pid[12243], build[bd98092/2016-04-04T12:
25:05Z]
Apr 21 14:56:49 usve77073 elasticsearch: [2016-04-21 14:56:49,384][INFO ][node ] [Deathurge] initializing ...
Apr 21 14:56:50 usve77073 elasticsearch: ************************************************
Apr 21 14:56:50 usve77073 elasticsearch: This is alpha software, do not use in production
Apr 21 14:56:50 usve77073 elasticsearch: ************************************************
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,026][INFO ][plugins ] [Deathurge] modules [reindex, lang-expression, lang-groovy], plugins [search-guard-ssl, search-guard-2], sites []
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,053][INFO ][env ] [Deathurge] using [1] data paths, mounts [[/ (/dev/vzfs)]], net usable_space [375.3gb], net total_space [400gb], spins? [possibly], types [reiserfs]
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,053][INFO ][env ] [Deathurge] heap size [989.8mb], compressed ordinary object pointers [true]
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,053][WARN ][env ] [Deathurge] max file descriptors [65535] for elasticsearch process likely too low, consider increasing to at least [65536]
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,103][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of java.lang.ClassNotFoundException: org.apache.tomcat.jni.SSL
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,104][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Config directory is /etc/elasticsearch/, from there the key- and truststore files are resolved relatively
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,104][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Effective settings:
Apr 21 14:56:50 usve77073 elasticsearch: client.type=node
Apr 21 14:56:50 usve77073 elasticsearch: cluster.name=elasticsearch
Apr 21 14:56:50 usve77073 elasticsearch: config.ignore_system_properties=true
Apr 21 14:56:50 usve77073 elasticsearch: name=Deathurge
Apr 21 14:56:50 usve77073 elasticsearch: path.conf=/etc/elasticsearch
Apr 21 14:56:50 usve77073 elasticsearch: path.data=/var/lib/elasticsearch
Apr 21 14:56:50 usve77073 elasticsearch: path.home=/usr/share/elasticsearch
Apr 21 14:56:50 usve77073 elasticsearch: path.logs=/var/log/elasticsearch
Apr 21 14:56:50 usve77073 elasticsearch: pidfile=/var/run/elasticsearch/elasticsearch.pid
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.enabled=true
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.keystore_filepath=/etc/elasticsearch/instore-keystore.jks
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.keystore_password=*********
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.keystore_type=JKS
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.truststore_filepath=/etc/elasticsearch/truststore.jks
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.truststore_password=*********
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.truststore_type=JKS
Apr 21 14:56:50 usve77073 elasticsearch: security.manager.enabled=false
Apr 21 14:56:50 usve77073 elasticsearch: Exception in thread "main" ElasticsearchException[Cannot recover key]; nested: UnrecoverableKeyException[Cannot recover key];
Apr 21 14:56:50 usve77073 elasticsearch: Likely root cause: java.security.UnrecoverableKeyException: Cannot recover key
Apr 21 14:56:50 usve77073 elasticsearch: at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
Apr 21 14:56:50 usve77073 elasticsearch: at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146)
Apr 21 14:56:50 usve77073 elasticsearch: at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
Apr 21 14:56:50 usve77073 elasticsearch: at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
Apr 21 14:56:50 usve77073 elasticsearch: at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
Apr 21 14:56:50 usve77073 elasticsearch: at java.security.KeyStore.getKey(KeyStore.java:1023)
Apr 21 14:56:50 usve77073 elasticsearch: at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:84)
Apr 21 14:56:50 usve77073 elasticsearch: at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:192)
Apr 21 14:56:50 usve77073 elasticsearch: at com.floragunn.searchguard.ssl.SearchGuardKeyStore.<init>(SearchGuardKeyStore.java:132)
Apr 21 14:56:50 usve77073 elasticsearch: at com.floragunn.searchguard.ssl.SearchGuardSSLModule.<init>(SearchGuardSSLModule.java:29)
Apr 21 14:56:50 usve77073 elasticsearch: at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:113)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.node.Node.<init>(Node.java:179)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.node.Node.<init>(Node.java:140)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:178)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)
Apr 21 14:56:50 usve77073 elasticsearch: Refer to the log for complete error details.
NOTE: The passwords are in text. i changed for *** in post.
Apr 21 14:56:49 usve77073 elasticsearch: [2016-04-21 14:56:49,384][INFO ][node ] [Deathurge] initializing ...
Apr 21 14:56:50 usve77073 elasticsearch: ************************************************
Apr 21 14:56:50 usve77073 elasticsearch: This is alpha software, do not use in production
Apr 21 14:56:50 usve77073 elasticsearch: ************************************************
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,026][INFO ][plugins ] [Deathurge] modules [reindex, lang-expression, lang-groovy], plugins [search-guard-ssl, search-guard-2], sites []
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,053][INFO ][env ] [Deathurge] using [1] data paths, mounts [[/ (/dev/vzfs)]], net usable_space [375.3gb], net total_space [400gb], spins? [possibly], types [reiserfs]
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,053][INFO ][env ] [Deathurge] heap size [989.8mb], compressed ordinary object pointers [true]
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,053][WARN ][env ] [Deathurge] max file descriptors [65535] for elasticsearch process likely too low, consider increasing to at least [65536]
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,103][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of java.lang.ClassNotFoundException: org.apache.tomcat.jni.SSL
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,104][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Config directory is /etc/elasticsearch/, from there the key- and truststore files are resolved relatively
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,104][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Effective settings:
Apr 21 14:56:50 usve77073 elasticsearch: client.type=node
Apr 21 14:56:50 usve77073 elasticsearch: cluster.name=elasticsearch
Apr 21 14:56:50 usve77073 elasticsearch: config.ignore_system_properties=true
Apr 21 14:56:50 usve77073 elasticsearch: name=Deathurge
Apr 21 14:56:50 usve77073 elasticsearch: path.conf=/etc/elasticsearch
Apr 21 14:56:50 usve77073 elasticsearch: path.data=/var/lib/elasticsearch
Apr 21 14:56:50 usve77073 elasticsearch: path.home=/usr/share/elasticsearch
Apr 21 14:56:50 usve77073 elasticsearch: path.logs=/var/log/elasticsearch
Apr 21 14:56:50 usve77073 elasticsearch: pidfile=/var/run/elasticsearch/elasticsearch.pid
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.enabled=true
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.keystore_filepath=/etc/elasticsearch/instore-keystore.jks
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.keystore_password=*********
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.keystore_type=JKS
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.truststore_filepath=/etc/elasticsearch/truststore.jks
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.truststore_password=*********
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.truststore_type=JKS
Apr 21 14:56:50 usve77073 elasticsearch: security.manager.enabled=false
Apr 21 14:56:50 usve77073 elasticsearch: Exception in thread "main" ElasticsearchException[Cannot recover key]; nested: UnrecoverableKeyException[Cannot recover key];
Apr 21 14:56:50 usve77073 elasticsearch: Likely root cause: java.security.UnrecoverableKeyException: Cannot recover key
Apr 21 14:56:50 usve77073 elasticsearch: at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
Apr 21 14:56:50 usve77073 elasticsearch: at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146)
Apr 21 14:56:50 usve77073 elasticsearch: at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
Apr 21 14:56:50 usve77073 elasticsearch: at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
Apr 21 14:56:50 usve77073 elasticsearch: at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
Apr 21 14:56:50 usve77073 elasticsearch: at java.security.KeyStore.getKey(KeyStore.java:1023)
Apr 21 14:56:50 usve77073 elasticsearch: at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:84)
Apr 21 14:56:50 usve77073 elasticsearch: at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:192)
Apr 21 14:56:50 usve77073 elasticsearch: at com.floragunn.searchguard.ssl.SearchGuardKeyStore.<init>(SearchGuardKeyStore.java:132)
Apr 21 14:56:50 usve77073 elasticsearch: at com.floragunn.searchguard.ssl.SearchGuardSSLModule.<init>(SearchGuardSSLModule.java:29)
Apr 21 14:56:50 usve77073 elasticsearch: at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:113)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.node.Node.<init>(Node.java:179)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.node.Node.<init>(Node.java:140)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:178)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)
Apr 21 14:56:50 usve77073 elasticsearch: Refer to the log for complete error details.
NOTE: The passwords are in text. i changed for *** in post.
SG
Apr 25, 2016, 4:48:45 PM4/25/16
to search...@googlegroups.com
"java.security.UnrecoverableKeyException: Cannot recover key" typically means that the password is incorrect.
Do you have more than one private key with different password in instore-keystore.jks?
Pls make also sure that the keystore password and the password of the key are the same.
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e3ecb0c2-8411-4e98-8102-a5244ac3bede%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Do you have more than one private key with different password in instore-keystore.jks?
Pls make also sure that the keystore password and the password of the key are the same.
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e3ecb0c2-8411-4e98-8102-a5244ac3bede%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages