ElasticsearchException[Cannot recover key] - search-guard-2(2.3.1.0-beta1)

I installed on ElasticSearch 2.3.1 the last version of Search Guard: search-guard-2(2.3.1.0-beta1) and search-guard-ssl(2.3.1.8.1)`

`
the error:

Apr 21 14:56:48 usve77073 elasticsearch: log4j:WARN No appenders could be found for logger (common).
Apr 21 14:56:48 usve77073 elasticsearch: log4j:WARN Please initialize the log4j system properly.
Apr 21 14:56:48 usve77073 elasticsearch: log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
Apr
21 14:56:49 usve77073 elasticsearch: [2016-04-21 14:56:49,228][WARN ][bootstrap ] unable to install syscall filter: seccomp unavailable: CONFIG_SECCOMP not compiled into kernel, CONFIG_SECCOMP and
CONFIG_SECCOMP_FILTER are needed
Apr 21 14:56:49 usve77073 elasticsearch: [2016-04-21 14:56:49,384][INFO ][node
] [Deathurge] version[2.3.1], pid[12243], build[bd98092/2016-04-04T12:
25:05Z]
Apr
21 14:56:49 usve77073 elasticsearch: [2016-04-21 14:56:49,384][INFO ][node ] [Deathurge] initializing …
Apr 21 14:56:50 usve77073 elasticsearch: ************************************************
Apr 21 14:56:50 usve77073 elasticsearch: This is alpha software, do not use in production
Apr 21 14:56:50 usve77073 elasticsearch: ************************************************
Apr
21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,026][INFO ][plugins ] [Deathurge] modules [reindex, lang-expression, lang-groovy], plugins [search-guard-ssl, search-guard-2], sites
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,053][INFO ][env ] [Deathurge] using [1] data paths, mounts [[/ (/dev/vzfs)]], net usable_space [375.3gb], net total_space [400gb], spins? [possibly], types [reiserfs]
Apr
21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,053][INFO ][env ] [Deathurge] heap size [989.8mb], compressed
ordinary object pointers [true]
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,053][WARN ][env
] [Deathurge] max file descriptors [65535] for elasticsearch process likely too low, consider increasing to at least [65536]
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,103][INFO ][com.floragunn.searchguard. ssl.SearchGuardKeyStore]
Open SSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of java.lang.ClassNotFoundException: org.apache.tomcat.jni.SSL
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,104][INFO ][com.floragunn.searchguard. ssl.SearchGuardKeyStore]
Config directory is /etc/elasticsearch/, from there the key- and truststore files are resolved relatively
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,104][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Effective settings:
Apr 21 14:56:50 usve77073 elasticsearch: client.type=node
Apr 21 14:56:50 usve77073 elasticsearch: cluster.name=elasticsearch
Apr 21 14:56:50 usve77073 elasticsearch: config.ignore_system_properties=true
Apr 21 14:56:50 usve77073 elasticsearch: name=Deathurge
Apr 21 14:56:50 usve77073 elasticsearch: path.conf=/etc/elasticsearch
Apr 21 14:56:50 usve77073 elasticsearch: path.data=/var/lib/elasticsearch
Apr 21 14:56:50 usve77073 elasticsearch: path.home=/usr/share/elasticsearch
Apr 21 14:56:50 usve77073 elasticsearch: path.logs=/var/log/elasticsearch
Apr 21 14:56:50 usve77073 elasticsearch: pidfile=/var/run/elasticsearch/elasticsearch.pid
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.enabled=true
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.keystore_filepath=/etc/elasticsearch/instore-keystore.jks
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.keystore_password=*********
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.keystore_type=JKS
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.truststore_filepath=/etc/elasticsearch/truststore.jks
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.truststore_password=*********
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.truststore_type=JKS
Apr 21 14:56:50 usve77073 elasticsearch: security.manager.enabled=false
Apr
21 14:56:50 usve77073 elasticsearch: Exception in thread “main” ElasticsearchException[Cannot recover key]; nested: UnrecoverableKeyException[Cannot recover key];
Apr 21 14:56:50 usve77073 elasticsearch: Likely root cause: java.security.UnrecoverableKeyException: Cannot recover key
Apr 21 14:56:50 usve77073 elasticsearch: at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
Apr 21 14:56:50 usve77073 elasticsearch: at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146)
Apr 21 14:56:50 usve77073 elasticsearch: at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
Apr 21 14:56:50 usve77073 elasticsearch: at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
Apr 21 14:56:50 usve77073 elasticsearch: at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
Apr 21 14:56:50 usve77073 elasticsearch: at java.security.KeyStore.getKey(KeyStore.java:1023)
Apr 21 14:56:50 usve77073 elasticsearch: at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:84)
Apr 21 14:56:50 usve77073 elasticsearch: at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:192)
Apr 21 14:56:50 usve77073 elasticsearch: at com.floragunn.searchguard.ssl.SearchGuardKeyStore.(SearchGuardKeyStore.java:132)
Apr 21 14:56:50 usve77073 elasticsearch: at com.floragunn.searchguard.ssl.SearchGuardSSLModule.(SearchGuardSSLModule.java:29)
Apr 21 14:56:50 usve77073 elasticsearch: at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:113)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.node.Node.(Node.java:179)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.node.Node.(Node.java:140)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:178)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)
Apr 21 14:56:50 usve77073 elasticsearch: Refer to the log for complete error details.

NOTE: The passwords are in text. i changed for *** in post.

"java.security.UnrecoverableKeyException: Cannot recover key" typically means that the password is incorrect.
Do you have more than one private key with different password in instore-keystore.jks?
Pls make also sure that the keystore password and the password of the key are the same.

···

Am 21.04.2016 um 18:13 schrieb soportecanopus@gmail.com:

I installed on ElasticSearch 2.3.1 the last version of Search Guard: search-guard-2(2.3.1.0-beta1) and search-guard-ssl(2.3.1.8.1)

the error:

Apr 21 14:56:48 usve77073 elasticsearch: log4j:WARN No appenders could be found for logger (common).
Apr 21 14:56:48 usve77073 elasticsearch: log4j:WARN Please initialize the log4j system properly.
Apr 21 14:56:48 usve77073 elasticsearch: log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
Apr 21 14:56:49 usve77073 elasticsearch: [2016-04-21 14:56:49,228][WARN ][bootstrap ] unable to install syscall filter: seccomp unavailable: CONFIG_SECCOMP not compiled into kernel, CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are needed
Apr 21 14:56:49 usve77073 elasticsearch: [2016-04-21 14:56:49,384][INFO ][node ] [Deathurge] version[2.3.1], pid[12243], build[bd98092/2016-04-04T12:
25:05Z]
Apr 21 14:56:49 usve77073 elasticsearch: [2016-04-21 14:56:49,384][INFO ][node ] [Deathurge] initializing ...
Apr 21 14:56:50 usve77073 elasticsearch: ************************************************
Apr 21 14:56:50 usve77073 elasticsearch: This is alpha software, do not use in production
Apr 21 14:56:50 usve77073 elasticsearch: ************************************************
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,026][INFO ][plugins ] [Deathurge] modules [reindex, lang-expression, lang-groovy], plugins [search-guard-ssl, search-guard-2], sites
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,053][INFO ][env ] [Deathurge] using [1] data paths, mounts [[/ (/dev/vzfs)]], net usable_space [375.3gb], net total_space [400gb], spins? [possibly], types [reiserfs]
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,053][INFO ][env ] [Deathurge] heap size [989.8mb], compressed ordinary object pointers [true]
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,053][WARN ][env ] [Deathurge] max file descriptors [65535] for elasticsearch process likely too low, consider increasing to at least [65536]
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,103][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of java.lang.ClassNotFoundException: org.apache.tomcat.jni.SSL
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,104][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Config directory is /etc/elasticsearch/, from there the key- and truststore files are resolved relatively
Apr 21 14:56:50 usve77073 elasticsearch: [2016-04-21 14:56:50,104][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Effective settings:
Apr 21 14:56:50 usve77073 elasticsearch: client.type=node
Apr 21 14:56:50 usve77073 elasticsearch: cluster.name=elasticsearch
Apr 21 14:56:50 usve77073 elasticsearch: config.ignore_system_properties=true
Apr 21 14:56:50 usve77073 elasticsearch: name=Deathurge
Apr 21 14:56:50 usve77073 elasticsearch: path.conf=/etc/elasticsearch
Apr 21 14:56:50 usve77073 elasticsearch: path.data=/var/lib/elasticsearch
Apr 21 14:56:50 usve77073 elasticsearch: path.home=/usr/share/elasticsearch
Apr 21 14:56:50 usve77073 elasticsearch: path.logs=/var/log/elasticsearch
Apr 21 14:56:50 usve77073 elasticsearch: pidfile=/var/run/elasticsearch/elasticsearch.pid
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.enabled=true
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.keystore_filepath=/etc/elasticsearch/instore-keystore.jks
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.keystore_password=*********
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.keystore_type=JKS
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.truststore_filepath=/etc/elasticsearch/truststore.jks
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.truststore_password=*********
Apr 21 14:56:50 usve77073 elasticsearch: searchguard.ssl.transport.truststore_type=JKS
Apr 21 14:56:50 usve77073 elasticsearch: security.manager.enabled=false
Apr 21 14:56:50 usve77073 elasticsearch: Exception in thread "main" ElasticsearchException[Cannot recover key]; nested: UnrecoverableKeyException[Cannot recover key];
Apr 21 14:56:50 usve77073 elasticsearch: Likely root cause: java.security.UnrecoverableKeyException: Cannot recover key
Apr 21 14:56:50 usve77073 elasticsearch: at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
Apr 21 14:56:50 usve77073 elasticsearch: at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146)
Apr 21 14:56:50 usve77073 elasticsearch: at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
Apr 21 14:56:50 usve77073 elasticsearch: at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
Apr 21 14:56:50 usve77073 elasticsearch: at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
Apr 21 14:56:50 usve77073 elasticsearch: at java.security.KeyStore.getKey(KeyStore.java:1023)
Apr 21 14:56:50 usve77073 elasticsearch: at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:84)
Apr 21 14:56:50 usve77073 elasticsearch: at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:192)
Apr 21 14:56:50 usve77073 elasticsearch: at com.floragunn.searchguard.ssl.SearchGuardKeyStore.<init>(SearchGuardKeyStore.java:132)
Apr 21 14:56:50 usve77073 elasticsearch: at com.floragunn.searchguard.ssl.SearchGuardSSLModule.<init>(SearchGuardSSLModule.java:29)
Apr 21 14:56:50 usve77073 elasticsearch: at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:113)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.node.Node.<init>(Node.java:179)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.node.Node.<init>(Node.java:140)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:178)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
Apr 21 14:56:50 usve77073 elasticsearch: at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)
Apr 21 14:56:50 usve77073 elasticsearch: Refer to the log for complete error details.

NOTE: The passwords are in text. i changed for *** in post.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e3ecb0c2-8411-4e98-8102-a5244ac3bede%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.