Empty file path for searchguard.ssl.transport.pemkey_filepath
36 views
Skip to first unread message
Aleksei Saiko
Mar 4, 2019, 10:13:39 AM3/4/19
to search...@googlegroups.com
When asking questions, please provide the following information:
* Search Guard and Elasticsearch version
SG=6.5.1-24.1
ES=6.5.1
* JVM version and operating system version
JVM=1.8.0_162
OS=Ubuntu 18.04.1 LTS
* Search Guard configuration files
from elastisearch.yml
searchguard.ssl.transport.pemcert_filepath: es-encr-001.pem
searchguard.ssl.transport.pemkey_filepath: es-encr-001.key
searchguard.ssl.transport.pemkey_password: aqTmoD7aBrpX
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: false
searchguard.ssl.http.pemcert_filepath: es-encr-001_http.pem
searchguard.ssl.http.pemkey_filepath: es-encr-001_http.key
searchguard.ssl.http.pemkey_password: raAtcE0mTfuk
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.nodes_dn:
- CN=es-encr-001.XXXX.com,OU=IL,O=Pipl Com\, Inc.,DC=XXXX,DC=com
- CN=es-encr-002.XXXX.com,OU=IL,O=Pipl Com\, Inc.,DC=XXXX,DC=com
- CN=es-encr-003.XXXX.com,OU=IL,O=Pipl Com\, Inc.,DC=XXXX,DC=com
searchguard.authcz.admin_dn:
- CN=kirk.XXXX.com,OU=IL,O=XXXX Com\, Inc.,DC=XXXX,DC=com
"elasticsearch.yml" 115L, 4129C
* Elasticsearch log messages on debug level
[c.f.s.a.BackendRegistry ] [es-encr-001] Not yet initialized (you may need to run sgadmin)
Hello,
I followed the document for installing SG - https://docs.search-guard.com/latest/search-guard-installation
I have an ES cluster from 3 nodes, generated all the certificates using your TLS tool , and did everything step by step according to the doc.
I followed the document for installing SG - https://docs.search-guard.com/latest/search-guard-installation
I have an ES cluster from 3 nodes, generated all the certificates using your TLS tool , and did everything step by step according to the doc.
Now, when I want to initialize the SG, I run the next command -
/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass aqTmoD7aBrpX --ignore-clustername
And receiving the following error -
/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass aqTmoD7aBrpX --ignore-clustername
And receiving the following error -
WARNING: JAVA_HOME not set, will use /usr/bin/java
Search Guard Admin v6
Will connect to localhost:9300 ... done
ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
Trace:
java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:607)
at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:112)
at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:108)
at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:133)
at org.elasticsearch.client.transport.TransportClient.<init>(TransportClient.java:273)
at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.<init>(SearchGuardAdmin.java:890)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:445)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:598)
... 7 more
Caused by: ElasticsearchException[Empty file path for searchguard.ssl.transport.pemkey_filepath]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.checkPath(DefaultSearchGuardKeyStore.java:800)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.resolve(DefaultSearchGuardKeyStore.java:210)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:327)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:151)
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:193)
at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:212)
... 12 more
It says that "Empty file path for searchguard.ssl.transport.pemkey_filepath", but I do use the -keypass inside the command.
It says that "Empty file path for searchguard.ssl.transport.pemkey_filepath", but I do use the -keypass inside the command.
Can you advice please?
Thanks,
Aleksei
SG
Mar 4, 2019, 6:08:14 PM3/4/19
to search...@googlegroups.com
Your command should look like
/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass aqTmoD7aBrpX --ignore-clustername -key /etc/elasticsearch/kirk.key.pem
You are missing the "-key" argument which must point to the file where the key for your cert is stored. This is named similar to kirk.key.pem or kirk.key.
> Am 04.03.2019 um 07:13 schrieb Aleksei Saiko <alekse...@gmail.com>:
>
> When asking questions, please provide the following information:
>
> * Search Guard and Elasticsearch version
> SG=6.5.1-24.1
> ES=6.5.1
>
>
> * JVM version and operating system version
> JVM=1.8.0_162
> OS=Ubuntu 18.04.1 LTS
>
>
> * Search Guard configuration files
> from elastisearch.yml
> searchguard.ssl.transport.pemcert_filepath: es-encr-001.pem
> searchguard.ssl.transport.pemkey_filepath: es-encr-001.key
> searchguard.ssl.transport.pemkey_password: aqTmoD7aBrpX
> searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
> searchguard.ssl.transport.enforce_hostname_verification: false
> searchguard.ssl.transport.resolve_hostname: false
> searchguard.ssl.http.enabled: false
> searchguard.ssl.http.pemcert_filepath: es-encr-001_http.pem
> searchguard.ssl.http.pemkey_filepath: es-encr-001_http.key
> searchguard.ssl.http.pemkey_password: raAtcE0mTfuk
> searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
> searchguard.nodes_dn:
> - CN=es-encr-001.XXXX.com,OU=IL,O=Pipl Com\, Inc.,DC=XXXX,DC=com
> - CN=es-necr-002.XXXX.com,OU=IL,O=Pipl Com\, Inc.,DC=XXXX,DC=com
> - CN=es-necr-003.XXXX.com,OU=IL,O=Pipl Com\, Inc.,DC=XXXX,DC=com
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/69578e4a-3faa-4ae5-8d77-d6b341326f9b%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass aqTmoD7aBrpX --ignore-clustername -key /etc/elasticsearch/kirk.key.pem
You are missing the "-key" argument which must point to the file where the key for your cert is stored. This is named similar to kirk.key.pem or kirk.key.
> Am 04.03.2019 um 07:13 schrieb Aleksei Saiko <alekse...@gmail.com>:
>
> When asking questions, please provide the following information:
>
> * Search Guard and Elasticsearch version
> SG=6.5.1-24.1
> ES=6.5.1
>
>
> * JVM version and operating system version
> JVM=1.8.0_162
> OS=Ubuntu 18.04.1 LTS
>
>
> * Search Guard configuration files
> from elastisearch.yml
> searchguard.ssl.transport.pemcert_filepath: es-encr-001.pem
> searchguard.ssl.transport.pemkey_filepath: es-encr-001.key
> searchguard.ssl.transport.pemkey_password: aqTmoD7aBrpX
> searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
> searchguard.ssl.transport.enforce_hostname_verification: false
> searchguard.ssl.transport.resolve_hostname: false
> searchguard.ssl.http.enabled: false
> searchguard.ssl.http.pemcert_filepath: es-encr-001_http.pem
> searchguard.ssl.http.pemkey_filepath: es-encr-001_http.key
> searchguard.ssl.http.pemkey_password: raAtcE0mTfuk
> searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
> searchguard.nodes_dn:
> - CN=es-encr-001.XXXX.com,OU=IL,O=Pipl Com\, Inc.,DC=XXXX,DC=com
> - CN=es-necr-003.XXXX.com,OU=IL,O=Pipl Com\, Inc.,DC=XXXX,DC=com
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/69578e4a-3faa-4ae5-8d77-d6b341326f9b%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Aleksei Saiko
Mar 5, 2019, 8:47:48 AM3/5/19
to search...@googlegroups.com
Ok, I added it to command, now it looks like this -
/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh --enable-shard-allocation -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass dyrhL6JDgdum --ignore-clustername -key /etc/elasticsearch/kirk.key
/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh --enable-shard-allocation -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass dyrhL6JDgdum --ignore-clustername -key /etc/elasticsearch/kirk.key
The keypass password, I take from client-certificates.readme file in 'out' folder.
When running the updated command, I receive this error -
root@es-encr-001:config# /usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh --enable-shard-allocation -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass dyrhL6JDgdum --ignore-clustername -key /etc/elasticsearch/kirk.key
WARNING: JAVA_HOME not set, will use /usr/bin/java
Search Guard Admin v6
Will connect to localhost:9300 ... done
Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{cfY_0zZ0R9O7nmknW1l5Mg}{localhost}{127.0.0.1:9300}]
13:40:56.895 [elasticsearch[_client_][transport_client_boss][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:1.8.0_162]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:1.8.0_162]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:1.8.0_162]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:1.8.0_162]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:1.8.0_162]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:1.8.0_162]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:1.8.0_162]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_162]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:294) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1297) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:579) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:496) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897) [netty-common-4.1.30.Final.jar:4.1.30.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_162]
ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{cfY_0zZ0R9O7nmknW1l5Mg}{localhost}{127.0.0.1:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:349)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:247)
at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:60)
at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:382)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:395)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:384)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:454)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)
Once again, the added conf for elasticsearch.yml is
searchguard.ssl.transport.pemcert_filepath: es-encr-001.pem
searchguard.ssl.transport.pemkey_filepath: es-encr-001.key
searchguard.ssl.transport.pemkey_password: jyQKPd3weIsd
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: false
searchguard.ssl.http.pemcert_filepath: es-encr-001_http.pem
searchguard.ssl.http.pemkey_filepath: es-encr-001_http.key
searchguard.ssl.http.pemkey_password: L9Fl1UHRbhGk
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.nodes_dn:
- CN=es-encr-001.xxxx.com,OU=IL,O=xxxx Com\, Inc.,DC=xxxx,DC=com
- CN=es-encr-002.xxxx.com,OU=IL,O=xxxxCom\, Inc.,DC=xxxx,DC=com
- CN=es-encr-003.xxxx.com,OU=IL,O=xxxxCom\, Inc.,DC=xxxx,DC=com
searchguard.authcz.admin_dn:
- CN=kirk.xxxx.com,OU=IL,O=xxxx Com\, Inc.,DC=xxxx,DC=com
"elasticsearch.yml" 114L, 4128C
SG
Mar 5, 2019, 12:27:00 PM3/5/19
to search...@googlegroups.com
Can you provide the yml config you used to create the certificates with the TLS tool? Or how did you use the online TLS certificate generator?
> - CN=es-encr-001.xxxx.com,OU=IL,O=Pipl Com\, Inc.,DC=xxxx,DC=com
> - CN=es-encr-002.xxxx.com,OU=IL,O=Pipl Com\, Inc.,DC=xxxx,DC=com
> - CN=es-encr-003.xxxxcom,OU=IL,O=Pipl Com\, Inc.,DC=xxxx,DC=com
> - CN=es-encr-002.xxxx.com,OU=IL,O=Pipl Com\, Inc.,DC=xxxx,DC=com
> - CN=es-encr-003.xxxxcom,OU=IL,O=Pipl Com\, Inc.,DC=xxxx,DC=com
> searchguard.authcz.admin_dn:
> - CN=kirk.xxxx.com,OU=IL,O=xxxx Com\, Inc.,DC=xxxx,DC=com
> "elasticsearch.yml" 114L, 4128C
>
>
>
>
>
> Your command should look like
>
> /usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass aqTmoD7aBrpX --ignore-clustername -key /etc/elasticsearch/kirk.key.pem
>
>
>
>
> - CN=kirk.xxxx.com,OU=IL,O=xxxx Com\, Inc.,DC=xxxx,DC=com
> "elasticsearch.yml" 114L, 4128C
>
>
>
>
>
> Your command should look like
>
> /usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass aqTmoD7aBrpX --ignore-clustername -key /etc/elasticsearch/kirk.key.pem
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f3645ce9-7a8e-4b21-ad80-4827a71c780c%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
Aleksei Saiko
Mar 6, 2019, 8:51:22 AM3/6/19
to search...@googlegroups.com
Hey,
I made another ES test cluster of 3 nodes, installed new version of ES (6.6.1) , Kibana and SG (all last versions), and everything seems working.
Maybe it's something that has to do with versions...
I made another ES test cluster of 3 nodes, installed new version of ES (6.6.1) , Kibana and SG (all last versions), and everything seems working.
Maybe it's something that has to do with versions...
Anyhow, I will try to do the same on my non test cluster, and if I will experience any problems, will open a thread.
Also, I have a last question.
After the SG been installed, to use Cerebro for example, I need to authenticate myself now of course.
If Kirk user is an admin, I need to login as Kirk with it's password? Because it doesn't work.
Thanks!
вторник, 5 марта 2019 г., 19:27:00 UTC+2 пользователь Search Guard написал:
вторник, 5 марта 2019 г., 19:27:00 UTC+2 пользователь Search Guard написал:
Reply all
Reply to author
Forward
0 new messages