Cannot apply license

es/kibana: 624

I cannot apply my license, as I am having cert/key problems at the same time. This was originally a demo installation, and I need to put in place my actual cert and key for the host that I have purchased. My error is below. Here is openssl demonstrating that the cert and keys are fine:

openssl rsa -in /etc/elasticsearch/MYKEYHERE.key -check

RSA key ok

writing RSA key

-----BEGIN RSA PRIVATE KEY-----

and my cert:

openssl x509 -in /etc/elasticsearch/MYCERTHERE.crt -text -noout

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 1520776778 (0x5aa5364a)

Signature Algorithm: sha256WithRSAEncryption

and my sgadmin command I am trying to run:

/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig -icl -key ‘/etc/elasticsearch/MYKEYHERE.key’ -cert ‘/etc/elasticsearch/MYCERTHERE.crt’ -cacert ‘/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem’ -nhnv

I am trying to follow these directions:

Please advise as to why I cannot update my certificates and update my license from the demo license (which I THINK should be what is happening with my sgadmin command).

Thanks!

···

Search Guard Admin v6

Will connect to localhost:9300 … done

08:47:23.270 [main] ERROR com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore - Your keystore or PEM does not contain a key. If you specified a key password, try removing it. If you did not specify a key password, perhaps you need to if the key is in fact password-protected. Maybe you just confused keys and certificates.

ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

Trace:

java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:563)

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:104)

at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:105)

at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:130)

at org.elasticsearch.client.transport.TransportClient.(TransportClient.java:262)

at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.(SearchGuardAdmin.java:871)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:435)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

Caused by: java.lang.reflect.InvocationTargetException

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

at java.lang.reflect.Constructor.newInstance(Constructor.java:423)

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554)

… 7 more

Caused by: ElasticsearchSecurityException[Error while initializing transport SSL layer from PEM: java.lang.IllegalArgumentException: File does not contain valid private key: /etc/elasticsearch/MYKEYHERE.key]; nested: IllegalArgumentException[File does not contain valid private key: /etc/elasticsearch/MYKEYHERE.key]; nested: InvalidKeySpecException[Neither RSA, DSA nor EC worked]; nested: InvalidKeySpecException[java.security.InvalidKeyException: IOException : algid parse error, not a sequence]; nested: InvalidKeyException[IOException : algid parse error, not a sequence];

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:292)

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:145)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:193)

at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:183)

… 12 more

Caused by: java.lang.IllegalArgumentException: File does not contain valid private key: /etc/elasticsearch/MYKEYHERE.key

at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:267)

at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:90)

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.buildSSLServerContext(DefaultSearchGuardKeyStore.java:613)

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:287)

… 15 more

Caused by: java.security.spec.InvalidKeySpecException: Neither RSA, DSA nor EC worked

at io.netty.handler.ssl.SslContext.getPrivateKeyFromByteBuffer(SslContext.java:1045)

at io.netty.handler.ssl.SslContext.toPrivateKey(SslContext.java:1014)

at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:265)

… 18 more

Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : algid parse error, not a sequence

at sun.security.ec.ECKeyFactory.engineGeneratePrivate(ECKeyFactory.java:169)

at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)

at io.netty.handler.ssl.SslContext.getPrivateKeyFromByteBuffer(SslContext.java:1043)

… 20 more

Caused by: java.security.InvalidKeyException: IOException : algid parse error, not a sequence

at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:352)

at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:357)

at sun.security.ec.ECPrivateKeyImpl.(ECPrivateKeyImpl.java:73)

at sun.security.ec.ECKeyFactory.implGeneratePrivate(ECKeyFactory.java:237)

at sun.security.ec.ECKeyFactory.engineGeneratePrivate(ECKeyFactory.java:165)

… 22 more

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

  • Installed and used enterprise modules, if any

  • JVM version and operating system version

  • Search Guard configuration files

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any

Update. I used the existing pem/cacert/key in /etc/elasticsearch that apparently the demo had put there. How can I update this to use my cert, key, and cacert rather than the ones the demo installed? Thanks!

···

On Friday, June 1, 2018 at 9:01:38 AM UTC-4, erik clark wrote:

es/kibana: 624

I cannot apply my license, as I am having cert/key problems at the same time. This was originally a demo installation, and I need to put in place my actual cert and key for the host that I have purchased. My error is below. Here is openssl demonstrating that the cert and keys are fine:

openssl rsa -in /etc/elasticsearch/MYKEYHERE.key -check

RSA key ok

writing RSA key

-----BEGIN RSA PRIVATE KEY-----

and my cert:

openssl x509 -in /etc/elasticsearch/MYCERTHERE.crt -text -noout

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 1520776778 (0x5aa5364a)

Signature Algorithm: sha256WithRSAEncryption

and my sgadmin command I am trying to run:

/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig -icl -key ‘/etc/elasticsearch/MYKEYHERE.key’ -cert ‘/etc/elasticsearch/MYCERTHERE.crt’ -cacert ‘/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem’ -nhnv

I am trying to follow these directions:

https://docs.search-guard.com/latest/search-guard-enterprise-edition.html#applying-an-enterprise-license

Please advise as to why I cannot update my certificates and update my license from the demo license (which I THINK should be what is happening with my sgadmin command).

Thanks!


Search Guard Admin v6

Will connect to localhost:9300 … done

08:47:23.270 [main] ERROR com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore - Your keystore or PEM does not contain a key. If you specified a key password, try removing it. If you did not specify a key password, perhaps you need to if the key is in fact password-protected. Maybe you just confused keys and certificates.

ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

Trace:

java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:563)

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:104)

at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:105)

at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:130)

at org.elasticsearch.client.transport.TransportClient.(TransportClient.java:262)

at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.(SearchGuardAdmin.java:871)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:435)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

Caused by: java.lang.reflect.InvocationTargetException

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

at java.lang.reflect.Constructor.newInstance(Constructor.java:423)

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554)

… 7 more

Caused by: ElasticsearchSecurityException[Error while initializing transport SSL layer from PEM: java.lang.IllegalArgumentException: File does not contain valid private key: /etc/elasticsearch/MYKEYHERE.key]; nested: IllegalArgumentException[File does not contain valid private key: /etc/elasticsearch/MYKEYHERE.key]; nested: InvalidKeySpecException[Neither RSA, DSA nor EC worked]; nested: InvalidKeySpecException[java.security.InvalidKeyException: IOException : algid parse error, not a sequence]; nested: InvalidKeyException[IOException : algid parse error, not a sequence];

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:292)

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:145)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:193)

at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:183)

… 12 more

Caused by: java.lang.IllegalArgumentException: File does not contain valid private key: /etc/elasticsearch/MYKEYHERE.key

at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:267)

at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:90)

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.buildSSLServerContext(DefaultSearchGuardKeyStore.java:613)

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:287)

… 15 more

Caused by: java.security.spec.InvalidKeySpecException: Neither RSA, DSA nor EC worked

at io.netty.handler.ssl.SslContext.getPrivateKeyFromByteBuffer(SslContext.java:1045)

at io.netty.handler.ssl.SslContext.toPrivateKey(SslContext.java:1014)

at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:265)

… 18 more

Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : algid parse error, not a sequence

at sun.security.ec.ECKeyFactory.engineGeneratePrivate(ECKeyFactory.java:169)

at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)

at io.netty.handler.ssl.SslContext.getPrivateKeyFromByteBuffer(SslContext.java:1043)

… 20 more

Caused by: java.security.InvalidKeyException: IOException : algid parse error, not a sequence

at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:352)

at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:357)

at sun.security.ec.ECPrivateKeyImpl.(ECPrivateKeyImpl.java:73)

at sun.security.ec.ECKeyFactory.implGeneratePrivate(ECKeyFactory.java:237)

at sun.security.ec.ECKeyFactory.engineGeneratePrivate(ECKeyFactory.java:165)

… 22 more

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Please close this.

···

On Friday, June 1, 2018 at 10:43:38 AM UTC-4, erik clark wrote:

Update. I used the existing pem/cacert/key in /etc/elasticsearch that apparently the demo had put there. How can I update this to use my cert, key, and cacert rather than the ones the demo installed? Thanks!

On Friday, June 1, 2018 at 9:01:38 AM UTC-4, erik clark wrote:

es/kibana: 624

I cannot apply my license, as I am having cert/key problems at the same time. This was originally a demo installation, and I need to put in place my actual cert and key for the host that I have purchased. My error is below. Here is openssl demonstrating that the cert and keys are fine:

openssl rsa -in /etc/elasticsearch/MYKEYHERE.key -check

RSA key ok

writing RSA key

-----BEGIN RSA PRIVATE KEY-----

and my cert:

openssl x509 -in /etc/elasticsearch/MYCERTHERE.crt -text -noout

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 1520776778 (0x5aa5364a)

Signature Algorithm: sha256WithRSAEncryption

and my sgadmin command I am trying to run:

/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig -icl -key ‘/etc/elasticsearch/MYKEYHERE.key’ -cert ‘/etc/elasticsearch/MYCERTHERE.crt’ -cacert ‘/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem’ -nhnv

I am trying to follow these directions:

https://docs.search-guard.com/latest/search-guard-enterprise-edition.html#applying-an-enterprise-license

Please advise as to why I cannot update my certificates and update my license from the demo license (which I THINK should be what is happening with my sgadmin command).

Thanks!


Search Guard Admin v6

Will connect to localhost:9300 … done

08:47:23.270 [main] ERROR com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore - Your keystore or PEM does not contain a key. If you specified a key password, try removing it. If you did not specify a key password, perhaps you need to if the key is in fact password-protected. Maybe you just confused keys and certificates.

ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

Trace:

java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:563)

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:104)

at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:105)

at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:130)

at org.elasticsearch.client.transport.TransportClient.(TransportClient.java:262)

at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.(SearchGuardAdmin.java:871)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:435)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

Caused by: java.lang.reflect.InvocationTargetException

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

at java.lang.reflect.Constructor.newInstance(Constructor.java:423)

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554)

… 7 more

Caused by: ElasticsearchSecurityException[Error while initializing transport SSL layer from PEM: java.lang.IllegalArgumentException: File does not contain valid private key: /etc/elasticsearch/MYKEYHERE.key]; nested: IllegalArgumentException[File does not contain valid private key: /etc/elasticsearch/MYKEYHERE.key]; nested: InvalidKeySpecException[Neither RSA, DSA nor EC worked]; nested: InvalidKeySpecException[java.security.InvalidKeyException: IOException : algid parse error, not a sequence]; nested: InvalidKeyException[IOException : algid parse error, not a sequence];

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:292)

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:145)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:193)

at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:183)

… 12 more

Caused by: java.lang.IllegalArgumentException: File does not contain valid private key: /etc/elasticsearch/MYKEYHERE.key

at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:267)

at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:90)

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.buildSSLServerContext(DefaultSearchGuardKeyStore.java:613)

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:287)

… 15 more

Caused by: java.security.spec.InvalidKeySpecException: Neither RSA, DSA nor EC worked

at io.netty.handler.ssl.SslContext.getPrivateKeyFromByteBuffer(SslContext.java:1045)

at io.netty.handler.ssl.SslContext.toPrivateKey(SslContext.java:1014)

at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:265)

… 18 more

Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : algid parse error, not a sequence

at sun.security.ec.ECKeyFactory.engineGeneratePrivate(ECKeyFactory.java:169)

at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)

at io.netty.handler.ssl.SslContext.getPrivateKeyFromByteBuffer(SslContext.java:1043)

… 20 more

Caused by: java.security.InvalidKeyException: IOException : algid parse error, not a sequence

at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:352)

at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:357)

at sun.security.ec.ECPrivateKeyImpl.(ECPrivateKeyImpl.java:73)

at sun.security.ec.ECKeyFactory.implGeneratePrivate(ECKeyFactory.java:237)

at sun.security.ec.ECKeyFactory.engineGeneratePrivate(ECKeyFactory.java:165)

… 22 more

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any