janarayb vermundo kristianna

0 views
Skip to first unread message

Albina Hickel

unread,
Aug 2, 2024, 8:20:50 PM8/2/24
to atalkoeter

I did a minimal install of NetBSD 6.1.2 and thought it would be easy to install a working gcc package. But even after pkg_add -r gcc48 gcc48-libs and adding gcc to the path, gcc is still not able to compile simple programs.

Exception in thread "main" ElasticsearchException[failed to initialize a TrustManagerFactory]; nested: IOException[keystore password was incorrect]; nested: UnrecoverableKeyException[failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded];
at org.elasticsearch.xpack.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:61)
at org.elasticsearch.xpack.ssl.SSLService.createSslContext(SSLService.java:408)
at org.elasticsearch.xpack.ssl.SSLService.loadSSLConfigurations(SSLService.java:444)
at org.elasticsearch.xpack.ssl.SSLService.(SSLService.java:87)
at org.elasticsearch.xpack.security.authc.esnative.tool.CommandLineHttpClient.postURL(CommandLineHttpClient.java:91)
at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$SetupCommand.checkElasticKeystorePasswordValid(SetupPasswordTool.java:278)
at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$AutoSetup.execute(SetupPasswordTool.java:127)
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:75)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.Command.main(Command.java:90)
at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool.main(SetupPasswordTool.java:105)
Caused by: java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.elasticsearch.xpack.ssl.CertUtils.readKeyStore(CertUtils.java:230)
at org.elasticsearch.xpack.ssl.CertUtils.trustManager(CertUtils.java:221)
at org.elasticsearch.xpack.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:59)

I did start out with the latest bits, 6.1.2 on a windows enterprise 10 machine, but aside from that the steps were followed to the letter. Note that I am using cmder with terminals, node1 term, node2 term, and issuing the command in term3 (C:\tmp\cert_blog\elasticsearch-6.1.2)

SSL connection to :9200/_xpack/security/_authenticate?pretty failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Please check the elasticsearch SSL settings under xpack.security.http.ssl.

Generally I would recommend running setup-passwords before configuring TLS. You don't have to do that, but when you're starting out for the very first time, I think that the most straight forward path is the order below. It does require starting and stopping you node(s) multiple times, and changing configuration as you go, so it's not suitable for every environment (which is why it's not the instructions in the docs) but if you want a path where you do 1 step, verify it worked, and then do the next step, this is the way to go:

The challenge with setup-passwords is that it acts as a client of the ES HTTP API, but Elasticsearch is not normally a consumer of its own API. So you can have a perfectly configured ES cluster, but it doesn't know how to talk to itself (because it normally doesn't need to). That usually becomes a problem when SSL/TLS is involved because the steps you need to do to make Elasticsearch work as an HTTP server with TLS are not the same as what you need to make a client talk to Elasticsearch over HTTPS.

I tend to like the approach of doing the certs first as the blog outlined, it seemed to make more sense creating them first instead of backing into them after the clusters have been built. Pros and Cons to both approaches I guess. By the time I get this running I'll look back at these days and think, oh that was easy.... I hope

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alerts.getSSLException(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at java.base/sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at java.base/sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at java.base/sun.security.ssl.ClientHandshaker.checkServerCerts(Unknown Source)
at java.base/sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at java.base/sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at java.base/sun.security.ssl.Handshaker.processLoop(Unknown Source)
at java.base/sun.security.ssl.Handshaker.processRecord(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
at org.elasticsearch.xpack.common.socket.SocketAccess.lambda$doPrivileged$0(SocketAccess.java:54)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at org.elasticsearch.xpack.common.socket.SocketAccess.doPrivileged(SocketAccess.java:53)
at org.elasticsearch.xpack.security.authc.esnative.tool.CommandLineHttpClient.postURL(CommandLineHttpClient.java:110)
at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$SetupCommand.checkElasticKeystorePasswordValid(SetupPasswordTool.java:278)
at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$AutoSetup.execute(SetupPasswordTool.java:127)
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:75)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.Command.main(Command.java:90)
at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool.main(SetupPasswordTool.java:105)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at java.base/sun.security.validator.Validator.validate(Unknown Source)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
at org.elasticsearch.xpack.ssl.SSLService$ReloadableTrustManager.checkServerTrusted(SSLService.java:568)
... 26 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
... 33 more

If it helps, the only reason I thought to mention it was that I went to check whether --verbose provided any useful output for this scenario, and accidentally ran it in a terminal window that had ES_PATH_CONF set to the wrong place

The keystore file should be created automatically when you install X-Pack.
The password functionality relies on the keystore existing, as it contains the secret initial password that is used to authenticate the setup command.

You can create a new one (which will automatically have the bootstrap secret) with bin/elasticsearch-keystore create. You'll need to restart ES after you do that (it doesn't automatically reload the keystore).

Not sure about the original node1 config, but the second one for node2 was created by the hand. I believe issuing this command on windows from the step Elasticsearch TLS setup in the blog post might have potentially been the issue, or myself, take your pick.

Initiating the setup of passwords for reserved users elastic,kibana,logstash_system.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y

Kernel launching (hipLaunchKernel/hipLaunchKernelGGL is the preferred way of launching kernels. hipLaunchKernelGGL is a standard C/C++ macro that can serve as an alternative way to launch kernels, replacing the CUDA triple-chevron () syntax).

No. HIP provides porting tools which do most of the work to convert CUDA code into portable C++ code that uses the HIP APIs.Most developers will port their code from CUDA to HIP and then maintain the HIP version.HIP code provides the same performance as native CUDA code, plus the benefits of running on AMD platforms.

c01484d022
Reply all
Reply to author
Forward
0 new messages