KeyStoreException: no key alias named xyz

Breno Inojosa

unread,

Jul 28, 2016, 10:30:25 AM7/28/16

to Search Guard

Hi all,

I have set up the latest stable version of search-guard-ssl (2.3.4.14) and I generated both keystore and truststore by doing:

keytool -importcert -file /etc/elasticsearch/ca.pem -keystore /etc/elasticsearch/truststore.jks -storepass myHappyPass -noprompt -alias myHappyAlias

cat /etc/elasticsearch/chain.pem /etc/elasticsearch/server.key | keytool -importcert -keystore /etc/elasticsearch/keystore.jks -storepass myHappyPassTwo -noprompt -alias keystoreAliasHere

And running this command keytool -list -keystore keystore.jks -alias myHappyAliasHere successfully returns this:
myHappyAliasHere, Jun 14, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): ....

All my configs are under /etc/elasticsearch only.

So I guess everything is fine on my side, but when I run elasticsearch, I get this:

Exception in thread "main" ElasticsearchSecurityException[Error while initializing transport SSL layer: java.security.KeyStoreException: no key alias named myHappyAliasHere]; nested: KeyStoreException[no key alias named myHappyAliasHere];
Likely root cause: java.security.KeyStoreException: no key alias named myHappyAliasHere
	at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:122)
	at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:211)
	at com.floragunn.searchguard.ssl.SearchGuardKeyStore.<init>(SearchGuardKeyStore.java:139)
	at com.floragunn.searchguard.ssl.SearchGuardSSLModule.<init>(SearchGuardSSLModule.java:29)
	at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:126)
	at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)
	at org.elasticsearch.node.Node.<init>(Node.java:179)
	at org.elasticsearch.node.Node.<init>(Node.java:140)
	at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:178)
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)

Just making sure I'm not doing anything wrong before opening a bug on Github.

Any clues?

in...@search-guard.com

unread,

Jul 28, 2016, 3:46:56 PM7/28/16

to Search Guard

Please post your elasticsearch.yml

And it seems like you alias 'myHappyAliasHere' refers to a certificate and not to a private key. Maybe you can also post the complete verbose output of 'keytool -list'

Breno Inojosa

unread,

Jul 28, 2016, 4:41:50 PM7/28/16

to Search Guard

Sorry, as I was replacing the text with fake data, I forgot to keep it consistent:

myHappyAliasHere is the same as keystoreAliasHere

It's interesting that when I try to generate another keystore with the same alias, it complains about it:

keytool error: java.lang.Exception: Certificate not imported, alias < myHappyAliasHere > already exists

Apart from the regular stuff on my elasticsearch.yml, I have:

searchguard.ssl.transport.enabled: true
searchguard.ssl.http.enabled: false

searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: myHappyPass

searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: myHappyPass

searchguard.ssl.transport.keystore_filepath: keystore.jks
searchguard.ssl.transport.keystore_password: myHappyPassTwo
searchguard.ssl.http.keystore_filepath: keystore.jks
searchguard.ssl.http.keystore_password: myHappyPassTwo

Breno Inojosa

unread,

Jul 28, 2016, 5:23:47 PM7/28/16

to Search Guard

keytool -list gave me this:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

myHappyAliasHere, Jul 28, 2016, trustedCertEntry,

Certificate fingerprint (SHA1): ....

Breno Inojosa

unread,

Jul 29, 2016, 10:31:09 AM7/29/16

to Search Guard

Though I still want to understand why it's not working this way, I have found that converting my key to PKCS12 and then to JKS works.

ZillaYT

unread,

Sep 9, 2016, 3:49:05 PM9/9/16

to Search Guard

i'm getting this with sg-ssl-v2.3.5.15. Is there a fix? I've tried using the PKC512 type to no avail.

Chris

Umair Hassan

unread,

Jun 14, 2017, 6:40:55 PM6/14/17

to Search Guard

Hi,

I have the same issue. I have my own-created certs, keystore and truststore. Keytool shows the alias from the keystore but the elasticsearch complains that it could not find the alias i mentioned. Here are my configs:

elasticsearch.yml

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: keystore.jks
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_alias: root-ca
searchguard.ssl.transport.keystore_alias: elastic
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: keystore.jks
searchguard.ssl.http.keystore_alias: elastic
searchguard.ssl.http.truststore_alias: root-ca
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.authcz.admin_dn:
  - CN=marry,OU=Openstack,O=Cloud9 Networks FZE,L=DSO, C=AE

cluster.name: ES_demo
network.host: 0.0.0.0
######## End Search Guard Demo Configuration ########

[root@util tools]# keytool -list -v -keystore /etc/elasticsearch/keystore.jks -alias elastic
Enter keystore password:  
Alias name: elastic
Creation date: Jun 14, 2017
Entry type: trustedCertEntry

Owner: EMAILADDRESS=a...@domain.com, CN=abc, OU=unit, O=org, L=cqg, ST=a, C=s
Issuer: ***************************************
Serial number: 1001
Valid from: Wed Jun 14 16:00:19 EDT 2017 until: Sun May 13 16:00:19 EDT 2018
Certificate fingerprints:

--------------------------------------------

Extensions: 

#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false

#2: ObjectId: 2.5.29.35 Criticality=false

#3: ObjectId: 2.5.29.19 Criticality=false

#4: ObjectId: 2.5.29.37 Criticality=false

#5: ObjectId: 2.5.29.15 Criticality=true

#6: ObjectId: 2.16.840.1.113730.1.1 Criticality=false

#7: ObjectId: 2.5.29.14 Criticality=false

---------------------------------

Elasticsearch log

[2017-06-14T18:26:33,166][ERROR][c.f.s.s.u.SSLCertificateHelper] Alias elastic does not exists or contain hold a certificate chain
[2017-06-14T18:26:33,232][ERROR][o.e.b.Bootstrap          ] Exception
org.elasticsearch.ElasticsearchException: Failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:430) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:383) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:139) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.node.Node.<init>(Node.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Bootstrap$6.<init>(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) [elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) [elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:114) [elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:67) [elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) [elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.cli.Command.main(Command.java:88) [elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91) [elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84) [elasticsearch-5.4.0.jar:5.4.0]
Caused by: java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:419) ~[elasticsearch-5.4.0.jar:5.4.0]
	... 14 more
Caused by: org.elasticsearch.ElasticsearchSecurityException: Error while initializing transport SSL layer: java.security.KeyStoreException: no key alias named elastic
	at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:261) ~[?:?]
	at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:150) ~[?:?]
	at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:205) ~[?:?]
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:419) ~[elasticsearch-5.4.0.jar:5.4.0]
	... 14 more
Caused by: java.security.KeyStoreException: no key alias named elastic
	at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:136) ~[?:?]
	at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:227) ~[?:?]
	at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:150) ~[?:?]
	at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:205) ~[?:?]
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:419) ~[elasticsearch-5.4.0.jar:5.4.0]
	... 14 more
[2017-06-14T18:26:33,241][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: ElasticsearchException[Failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]]; nested: InvocationTargetException; nested: ElasticsearchSecurityException[Error while initializing transport SSL layer: java.security.KeyStoreException: no key alias named elastic]; nested: KeyStoreException[no key alias named elastic];
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:127) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:114) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:67) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.cli.Command.main(Command.java:88) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84) ~[elasticsearch-5.4.0.jar:5.4.0]
Caused by: org.elasticsearch.ElasticsearchException: Failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:430) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:383) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:139) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.node.Node.<init>(Node.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Bootstrap$6.<init>(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) ~[elasticsearch-5.4.0.jar:5.4.0]
	... 6 more
Caused by: java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:419) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:383) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:139) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.node.Node.<init>(Node.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Bootstrap$6.<init>(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) ~[elasticsearch-5.4.0.jar:5.4.0]
	... 6 more
Caused by: org.elasticsearch.ElasticsearchSecurityException: Error while initializing transport SSL layer: java.security.KeyStoreException: no key alias named elastic
	at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:261) ~[?:?]
	at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:150) ~[?:?]
	at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:205) ~[?:?]
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:419) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:383) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:139) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.node.Node.<init>(Node.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Bootstrap$6.<init>(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) ~[elasticsearch-5.4.0.jar:5.4.0]
	... 6 more
Caused by: java.security.KeyStoreException: no key alias named elastic
	at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:136) ~[?:?]
	at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:227) ~[?:?]
	at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:150) ~[?:?]
	at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:205) ~[?:?]
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:419) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:383) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:139) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.node.Node.<init>(Node.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Bootstrap$6.<init>(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) ~[elasticsearch-5.4.0.jar:5.4.0]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) ~[elasticsearch-5.4.0.jar:5.4.0]
	... 6 more

I don't know why isn't it picking up the alias.

Karthikeyan M

unread,

Jul 13, 2018, 1:30:19 AM7/13/18

to Search Guard Community Forum

hi,

where you able to find a fix to this issue ?

i also facing the similar error.

Reply all

Reply to author

Forward