Empty file path for searchguard.ssl.transport.pemkey_filepath

Hi,

I’m getting a Empty file path for searchguard.ssl.transport.pemkey_filepath error even tough I have specified the path on the elasticsearch.yml file.

I’m using a Letsencrypt certificate

Full Error

ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

Trace:

java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:452)

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:105)

at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:103)

at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:128)

at org.elasticsearch.client.transport.TransportClient.(TransportClient.java:251)

at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.(SearchGuardAdmin.java:871)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:435)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

Caused by: java.lang.reflect.InvocationTargetException

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

at java.lang.reflect.Constructor.newInstance(Constructor.java:423)

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443)

… 7 more

Caused by: ElasticsearchException[Empty file path for searchguard.ssl.transport.pemkey_filepath]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.checkPath(DefaultSearchGuardKeyStore.java:701)

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.resolve(DefaultSearchGuardKeyStore.java:193)

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:282)

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:145)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:192)

at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:182)

… 12 more

/etc/elasticsearch/elasticsearch.yml

searchguard.ssl.transport.pemkey_filepath: privkey.pem

searchguard.ssl.transport.pemcert_filepath: fullchain.pem

searchguard.ssl.transport.pemtrustedcas_filepath: chain.pem

searchguard.ssl.transport.enforce_hostname_verification: true

Elasticsearch version: 6.1.3

Searchguard version: 6.1.3-21.0

Java version: 1.8.0_161

Thank you

Can you pls post the startup log of your elasticsearch node?
Maybe /etc/elasticsearch/elasticsearch.yml is not the configuration file which is really used?

···

Am 12.02.2018 um 21:42 schrieb Jorge Martins <jorge.martins@wemake.pt>:

Hi,

I'm getting a Empty file path for searchguard.ssl.transport.pemkey_filepath error even tough I have specified the path on the elasticsearch.yml file.
I'm using a Letsencrypt certificate

Full Error

ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
Trace:
java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:452)
        at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:105)
        at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:103)
        at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:128)
        at org.elasticsearch.client.transport.TransportClient.<init>(TransportClient.java:251)
        at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.<init>(SearchGuardAdmin.java:871)
        at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:435)
        at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)
Caused by: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443)
        ... 7 more
Caused by: ElasticsearchException[Empty file path for searchguard.ssl.transport.pemkey_filepath]
        at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.checkPath(DefaultSearchGuardKeyStore.java:701)
        at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.resolve(DefaultSearchGuardKeyStore.java:193)
        at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:282)
        at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:145)
        at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:192)
        at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:182)
        ... 12 more

/etc/elasticsearch/elasticsearch.yml

...
searchguard.ssl.transport.pemkey_filepath: privkey.pem
searchguard.ssl.transport.pemcert_filepath: fullchain.pem
searchguard.ssl.transport.pemtrustedcas_filepath: chain.pem
searchguard.ssl.transport.enforce_hostname_verification: true
...

Elasticsearch version: 6.1.3
Searchguard version: 6.1.3-21.0
Java version: 1.8.0_161

Thank you

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/7ac79510-73ad-40b2-9f10-26e2c3e67aa4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[2018-02-15T19:08:25,182][INFO ][o.e.n.Node ] initializing …

[2018-02-15T19:08:25,367][INFO ][o.e.e.NodeEnvironment ] [6PJrZCB] using [1] data paths, mounts [[/ (/dev/root)]], net usable_space [41.9gb], net total_space [47gb], types [ext4]

[2018-02-15T19:08:25,367][INFO ][o.e.e.NodeEnvironment ] [6PJrZCB] heap size [1007.3mb], compressed ordinary object pointers [true]

[2018-02-15T19:08:25,499][INFO ][o.e.n.Node ] node name [6PJrZCB] derived from node ID [6PJrZCByTOyTJ5JBzaeBWA]; set [node.name] to override

[2018-02-15T19:08:25,499][INFO ][o.e.n.Node ] version[6.1.3], pid[31574], build[af51318/2018-01-26T18:22:55.523Z], OS[Linux/4.14.14-x86_64-linode94/amd64], JVM[Oracle Corporation/Java HotSpot™ 64-Bit Server VM/1.8.0_161/25.161-b12]

[2018-02-15T19:08:25,499][INFO ][o.e.n.Node ] JVM arguments [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/elasticsearch, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/etc/elasticsearch]

[2018-02-15T19:08:27,381][WARN ][c.f.s.SearchGuardPlugin ] Search Guard plugin installed but disabled. This can expose your configuration (including passwords) to the public.

[2018-02-15T19:08:27,390][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [aggs-matrix-stats]

[2018-02-15T19:08:27,390][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [analysis-common]

[2018-02-15T19:08:27,390][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [ingest-common]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [lang-expression]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [lang-mustache]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [lang-painless]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [mapper-extras]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [parent-join]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [percolator]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [reindex]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [repository-url]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [transport-netty4]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [tribe]

[2018-02-15T19:08:27,392][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded plugin [search-guard-6]

btw, i’m using the following command I got from the documentation: sudo ./sgadmin.sh -cd …/sgconfig/ -icl -nhnv -cacert root-ca.pem -cert crtfull.pem -key key.pem

I’m not sure about this, because the documentation is not clear, when I do -cd …/sgconfig/ does that also use the elasticsearch.yml.example file on the sgconfig folder? or uses only the sg_*.yml files?

Can that be the error? Do I need to specifie a specific location of the elasticsearch.yml?

terça-feira, 13 de Fevereiro de 2018 às 17:46:30 UTC, Search Guard escreveu:

···

Can you pls post the startup log of your elasticsearch node?

Maybe /etc/elasticsearch/elasticsearch.yml is not the configuration file which is really used?

Am 12.02.2018 um 21:42 schrieb Jorge Martins jorge....@wemake.pt:

Hi,

I’m getting a Empty file path for searchguard.ssl.transport.pemkey_filepath error even tough I have specified the path on the elasticsearch.yml file.

I’m using a Letsencrypt certificate

Full Error

ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

Trace:

java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:452)
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:105)
    at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:103)
    at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:128)
    at org.elasticsearch.client.transport.TransportClient.<init>(TransportClient.java:251)
    at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.<init>(SearchGuardAdmin.java:871)
    at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:435)
    at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

Caused by: java.lang.reflect.InvocationTargetException

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443)
    ... 7 more

Caused by: ElasticsearchException[Empty file path for searchguard.ssl.transport.pemkey_filepath]

    at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.checkPath(DefaultSearchGuardKeyStore.java:701)
    at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.resolve(DefaultSearchGuardKeyStore.java:193)
    at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:282)
    at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:145)
    at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:192)
    at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:182)
    ... 12 more

/etc/elasticsearch/elasticsearch.yml

searchguard.ssl.transport.pemkey_filepath: privkey.pem

searchguard.ssl.transport.pemcert_filepath: fullchain.pem

searchguard.ssl.transport.pemtrustedcas_filepath: chain.pem

searchguard.ssl.transport.enforce_hostname_verification: true

Elasticsearch version: 6.1.3

Searchguard version: 6.1.3-21.0

Java version: 1.8.0_161

Thank you


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/7ac79510-73ad-40b2-9f10-26e2c3e67aa4%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

elasticsearch.yml.example is not touched by sgadmin. In fact, in order for changes to the easticsearch.yml to take effect you have to restart the node.

So just to be clear, when does this exception happen? When you start the node, or when you execute sgadmin?

The log entries you sent indicate that you disabled Search Guard:

[2018-02-15T19:08:27,381][WARN ][c.f.s.SearchGuardPlugin ] Search Guard plugin installed but disabled. This can expose your configuration (including passwords) to the public.

Is this on purpose?

To examine further we need the full elasticsearch log, including startup sequence, and the exception you mentioned above. Ideally, send also your elasticsearch.yaml and the sg_config.yaml you are using.

···

On Thursday, February 15, 2018 at 8:20:07 PM UTC+1, Jorge Martins wrote:

[2018-02-15T19:08:25,182][INFO ][o.e.n.Node ] initializing …

[2018-02-15T19:08:25,367][INFO ][o.e.e.NodeEnvironment ] [6PJrZCB] using [1] data paths, mounts [[/ (/dev/root)]], net usable_space [41.9gb], net total_space [47gb], types [ext4]

[2018-02-15T19:08:25,367][INFO ][o.e.e.NodeEnvironment ] [6PJrZCB] heap size [1007.3mb], compressed ordinary object pointers [true]

[2018-02-15T19:08:25,499][INFO ][o.e.n.Node ] node name [6PJrZCB] derived from node ID [6PJrZCByTOyTJ5JBzaeBWA]; set [node.name] to override

[2018-02-15T19:08:25,499][INFO ][o.e.n.Node ] version[6.1.3], pid[31574], build[af51318/2018-01-26T18:22:55.523Z], OS[Linux/4.14.14-x86_64-linode94/amd64], JVM[Oracle Corporation/Java HotSpot™ 64-Bit Server VM/1.8.0_161/25.161-b12]

[2018-02-15T19:08:25,499][INFO ][o.e.n.Node ] JVM arguments [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/elasticsearch, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/etc/elasticsearch]

[2018-02-15T19:08:27,381][WARN ][c.f.s.SearchGuardPlugin ] Search Guard plugin installed but disabled. This can expose your configuration (including passwords) to the public.

[2018-02-15T19:08:27,390][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [aggs-matrix-stats]

[2018-02-15T19:08:27,390][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [analysis-common]

[2018-02-15T19:08:27,390][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [ingest-common]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [lang-expression]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [lang-mustache]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [lang-painless]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [mapper-extras]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [parent-join]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [percolator]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [reindex]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [repository-url]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [transport-netty4]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [tribe]

[2018-02-15T19:08:27,392][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded plugin [search-guard-6]

btw, i’m using the following command I got from the documentation: sudo ./sgadmin.sh -cd …/sgconfig/ -icl -nhnv -cacert root-ca.pem -cert crtfull.pem -key key.pem

I’m not sure about this, because the documentation is not clear, when I do -cd …/sgconfig/ does that also use the elasticsearch.yml.example file on the sgconfig folder? or uses only the sg_*.yml files?

Can that be the error? Do I need to specifie a specific location of the elasticsearch.yml?

terça-feira, 13 de Fevereiro de 2018 às 17:46:30 UTC, Search Guard escreveu:

Can you pls post the startup log of your elasticsearch node?

Maybe /etc/elasticsearch/elasticsearch.yml is not the configuration file which is really used?

Am 12.02.2018 um 21:42 schrieb Jorge Martins jorge....@wemake.pt:

Hi,

I’m getting a Empty file path for searchguard.ssl.transport.pemkey_filepath error even tough I have specified the path on the elasticsearch.yml file.

I’m using a Letsencrypt certificate

Full Error

ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

Trace:

java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:452)
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:105)
    at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:103)
    at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:128)
    at org.elasticsearch.client.transport.TransportClient.<init>(TransportClient.java:251)
    at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.<init>(SearchGuardAdmin.java:871)
    at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:435)
    at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

Caused by: java.lang.reflect.InvocationTargetException

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443)
    ... 7 more

Caused by: ElasticsearchException[Empty file path for searchguard.ssl.transport.pemkey_filepath]

    at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.checkPath(DefaultSearchGuardKeyStore.java:701)
    at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.resolve(DefaultSearchGuardKeyStore.java:193)
    at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:282)
    at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:145)
    at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:192)
    at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:182)
    ... 12 more

/etc/elasticsearch/elasticsearch.yml

searchguard.ssl.transport.pemkey_filepath: privkey.pem

searchguard.ssl.transport.pemcert_filepath: fullchain.pem

searchguard.ssl.transport.pemtrustedcas_filepath: chain.pem

searchguard.ssl.transport.enforce_hostname_verification: true

Elasticsearch version: 6.1.3

Searchguard version: 6.1.3-21.0

Java version: 1.8.0_161

Thank you


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/7ac79510-73ad-40b2-9f10-26e2c3e67aa4%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

The exception happens when I execute sgadmin.

Yes, I disabled Search Guard after I was unable to configure it.

I’ve attached elasticsearch.log, elasticsearch.yaml and sg_config.yaml

I notice the SSL Problem Received fatal alert: certificate_unknown errors in elasticsearch.log

I’m using certificates created by letsencrypt and followed the searchguard-ssl-config-template.yml example.

If you feel that its better, I can reinstall all again and use you demo installer just to make sure.

Thank you

EDIT: I changes the IP adress on the elasticsearch.log to 000.000.000.00 just to not disclose my IP

segunda-feira, 19 de Fevereiro de 2018 às 11:08:59 UTC, Jochen Kressin escreveu:

elasticsearch.log (61.9 KB)

sg_config.yml (9.4 KB)

elasticsearch.yml (3.63 KB)

···

elasticsearch.yml.example is not touched by sgadmin. In fact, in order for changes to the easticsearch.yml to take effect you have to restart the node.

So just to be clear, when does this exception happen? When you start the node, or when you execute sgadmin?

The log entries you sent indicate that you disabled Search Guard:

[2018-02-15T19:08:27,381][WARN ][c.f.s.SearchGuardPlugin ] Search Guard plugin installed but disabled. This can expose your configuration (including passwords) to the public.

Is this on purpose?

To examine further we need the full elasticsearch log, including startup sequence, and the exception you mentioned above. Ideally, send also your elasticsearch.yaml and the sg_config.yaml you are using.

On Thursday, February 15, 2018 at 8:20:07 PM UTC+1, Jorge Martins wrote:

[2018-02-15T19:08:25,182][INFO ][o.e.n.Node ] initializing …

[2018-02-15T19:08:25,367][INFO ][o.e.e.NodeEnvironment ] [6PJrZCB] using [1] data paths, mounts [[/ (/dev/root)]], net usable_space [41.9gb], net total_space [47gb], types [ext4]

[2018-02-15T19:08:25,367][INFO ][o.e.e.NodeEnvironment ] [6PJrZCB] heap size [1007.3mb], compressed ordinary object pointers [true]

[2018-02-15T19:08:25,499][INFO ][o.e.n.Node ] node name [6PJrZCB] derived from node ID [6PJrZCByTOyTJ5JBzaeBWA]; set [node.name] to override

[2018-02-15T19:08:25,499][INFO ][o.e.n.Node ] version[6.1.3], pid[31574], build[af51318/2018-01-26T18:22:55.523Z], OS[Linux/4.14.14-x86_64-linode94/amd64], JVM[Oracle Corporation/Java HotSpot™ 64-Bit Server VM/1.8.0_161/25.161-b12]

[2018-02-15T19:08:25,499][INFO ][o.e.n.Node ] JVM arguments [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/elasticsearch, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/etc/elasticsearch]

[2018-02-15T19:08:27,381][WARN ][c.f.s.SearchGuardPlugin ] Search Guard plugin installed but disabled. This can expose your configuration (including passwords) to the public.

[2018-02-15T19:08:27,390][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [aggs-matrix-stats]

[2018-02-15T19:08:27,390][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [analysis-common]

[2018-02-15T19:08:27,390][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [ingest-common]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [lang-expression]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [lang-mustache]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [lang-painless]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [mapper-extras]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [parent-join]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [percolator]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [reindex]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [repository-url]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [transport-netty4]

[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [tribe]

[2018-02-15T19:08:27,392][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded plugin [search-guard-6]

btw, i’m using the following command I got from the documentation: sudo ./sgadmin.sh -cd …/sgconfig/ -icl -nhnv -cacert root-ca.pem -cert crtfull.pem -key key.pem

I’m not sure about this, because the documentation is not clear, when I do -cd …/sgconfig/ does that also use the elasticsearch.yml.example file on the sgconfig folder? or uses only the sg_*.yml files?

Can that be the error? Do I need to specifie a specific location of the elasticsearch.yml?

terça-feira, 13 de Fevereiro de 2018 às 17:46:30 UTC, Search Guard escreveu:

Can you pls post the startup log of your elasticsearch node?

Maybe /etc/elasticsearch/elasticsearch.yml is not the configuration file which is really used?

Am 12.02.2018 um 21:42 schrieb Jorge Martins jorge....@wemake.pt:

Hi,

I’m getting a Empty file path for searchguard.ssl.transport.pemkey_filepath error even tough I have specified the path on the elasticsearch.yml file.

I’m using a Letsencrypt certificate

Full Error

ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

Trace:

java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:452)
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:105)
    at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:103)
    at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:128)
    at org.elasticsearch.client.transport.TransportClient.<init>(TransportClient.java:251)
    at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.<init>(SearchGuardAdmin.java:871)
    at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:435)
    at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

Caused by: java.lang.reflect.InvocationTargetException

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443)
    ... 7 more

Caused by: ElasticsearchException[Empty file path for searchguard.ssl.transport.pemkey_filepath]

    at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.checkPath(DefaultSearchGuardKeyStore.java:701)
    at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.resolve(DefaultSearchGuardKeyStore.java:193)
    at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:282)
    at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:145)
    at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:192)
    at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:182)
    ... 12 more

/etc/elasticsearch/elasticsearch.yml

searchguard.ssl.transport.pemkey_filepath: privkey.pem

searchguard.ssl.transport.pemcert_filepath: fullchain.pem

searchguard.ssl.transport.pemtrustedcas_filepath: chain.pem

searchguard.ssl.transport.enforce_hostname_verification: true

Elasticsearch version: 6.1.3

Searchguard version: 6.1.3-21.0

Java version: 1.8.0_161

Thank you


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/7ac79510-73ad-40b2-9f10-26e2c3e67aa4%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

The root cause is "No subject alternative DNS name matching localhost found."
So i guess you need to set network.host in elasticsearch.yml to your correct hostname (or whatever is in your letsencrypt certs as CN or SAN),
see https://github.com/floragunncom/search-guard/issues/442 and https://groups.google.com/forum/#!searchin/search-guard/subject$20alternative|sort:date/search-guard/ldix18ctTk8/5sCT59chBAAJ

···

Am 19.02.2018 um 19:45 schrieb Jorge Martins <jorge.martins@wemake.pt>:

The exception happens when I execute sgadmin.

Yes, I disabled Search Guard after I was unable to configure it.

I've attached elasticsearch.log, elasticsearch.yaml and sg_config.yaml

I notice the SSL Problem Received fatal alert: certificate_unknown errors in elasticsearch.log

I'm using certificates created by letsencrypt and followed the searchguard-ssl-config-template.yml example.

If you feel that its better, I can reinstall all again and use you demo installer just to make sure.

Thank you

segunda-feira, 19 de Fevereiro de 2018 às 11:08:59 UTC, Jochen Kressin escreveu:
elasticsearch.yml.example is not touched by sgadmin. In fact, in order for changes to the easticsearch.yml to take effect you have to restart the node.

So just to be clear, when does this exception happen? When you start the node, or when you execute sgadmin?

The log entries you sent indicate that you disabled Search Guard:

[2018-02-15T19:08:27,381][WARN ][c.f.s.SearchGuardPlugin ] Search Guard plugin installed but disabled. This can expose your configuration (including passwords) to the public.

Is this on purpose?

To examine further we need the *full* elasticsearch log, including startup sequence, and the exception you mentioned above. Ideally, send also your elasticsearch.yaml and the sg_config.yaml you are using.

On Thursday, February 15, 2018 at 8:20:07 PM UTC+1, Jorge Martins wrote:

[2018-02-15T19:08:25,182][INFO ][o.e.n.Node ] initializing ...
[2018-02-15T19:08:25,367][INFO ][o.e.e.NodeEnvironment ] [6PJrZCB] using [1] data paths, mounts [[/ (/dev/root)]], net usable_space [41.9gb], net total_space [47gb], types [ext4]
[2018-02-15T19:08:25,367][INFO ][o.e.e.NodeEnvironment ] [6PJrZCB] heap size [1007.3mb], compressed ordinary object pointers [true]
[2018-02-15T19:08:25,499][INFO ][o.e.n.Node ] node name [6PJrZCB] derived from node ID [6PJrZCByTOyTJ5JBzaeBWA]; set [node.name] to override
[2018-02-15T19:08:25,499][INFO ][o.e.n.Node ] version[6.1.3], pid[31574], build[af51318/2018-01-26T18:22:55.523Z], OS[Linux/4.14.14-x86_64-linode94/amd64], JVM[Oracle Corporation/Java HotSpot(TM) 64-Bit Server VM/1.8.0_161/25.161-b12]
[2018-02-15T19:08:25,499][INFO ][o.e.n.Node ] JVM arguments [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/elasticsearch, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/etc/elasticsearch]
[2018-02-15T19:08:27,381][WARN ][c.f.s.SearchGuardPlugin ] Search Guard plugin installed but disabled. This can expose your configuration (including passwords) to the public.
[2018-02-15T19:08:27,390][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [aggs-matrix-stats]
[2018-02-15T19:08:27,390][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [analysis-common]
[2018-02-15T19:08:27,390][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [ingest-common]
[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [lang-expression]
[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [lang-mustache]
[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [lang-painless]
[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [mapper-extras]
[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [parent-join]
[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [percolator]
[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [reindex]
[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [repository-url]
[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [transport-netty4]
[2018-02-15T19:08:27,391][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded module [tribe]
[2018-02-15T19:08:27,392][INFO ][o.e.p.PluginsService ] [6PJrZCB] loaded plugin [search-guard-6]

btw, i'm using the following command I got from the documentation: sudo ./sgadmin.sh -cd ../sgconfig/ -icl -nhnv -cacert root-ca.pem -cert crtfull.pem -key key.pem

I'm not sure about this, because the documentation is not clear, when I do -cd ../sgconfig/ does that also use the elasticsearch.yml.example file on the sgconfig folder? or uses only the sg_*.yml files?

Can that be the error? Do I need to specifie a specific location of the elasticsearch.yml?

terça-feira, 13 de Fevereiro de 2018 às 17:46:30 UTC, Search Guard escreveu:
Can you pls post the startup log of your elasticsearch node?
Maybe /etc/elasticsearch/elasticsearch.yml is not the configuration file which is really used?

> Am 12.02.2018 um 21:42 schrieb Jorge Martins <jorge....@wemake.pt>:
>
> Hi,
>
> I'm getting a Empty file path for searchguard.ssl.transport.pemkey_filepath error even tough I have specified the path on the elasticsearch.yml file.
> I'm using a Letsencrypt certificate
>
>
>
> Full Error
>
> ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
> Trace:
> java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
> at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:452)
> at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:105)
> at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:103)
> at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:128)
> at org.elasticsearch.client.transport.TransportClient.<init>(TransportClient.java:251)
> at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.<init>(SearchGuardAdmin.java:871)
> at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:435)
> at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)
> Caused by: java.lang.reflect.InvocationTargetException
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443)
> ... 7 more
> Caused by: ElasticsearchException[Empty file path for searchguard.ssl.transport.pemkey_filepath]
> at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.checkPath(DefaultSearchGuardKeyStore.java:701)
> at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.resolve(DefaultSearchGuardKeyStore.java:193)
> at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:282)
> at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:145)
> at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:192)
> at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:182)
> ... 12 more
>
>
> /etc/elasticsearch/elasticsearch.yml
>
> ...
> searchguard.ssl.transport.pemkey_filepath: privkey.pem
> searchguard.ssl.transport.pemcert_filepath: fullchain.pem
> searchguard.ssl.transport.pemtrustedcas_filepath: chain.pem
> searchguard.ssl.transport.enforce_hostname_verification: true
> ...
>
>
> Elasticsearch version: 6.1.3
> Searchguard version: 6.1.3-21.0
> Java version: 1.8.0_161
>
>
> Thank you
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/7ac79510-73ad-40b2-9f10-26e2c3e67aa4%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/aa5e568a-6795-42c2-8366-ee4f14a3c39e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
<elasticsearch.log><sg_config.yml><elasticsearch.yml>