See below the information you asked for. I installed the jar you gave me and included the logs its produce when running below.
OS version: Red Hat Enterprise Linux Server release 7.3 (Maipo)
Environment Google Cloud Compute
I install Elasticsearch on the OS without any docker or VM
$ java -version
java version “1.8.0”
Java™ SE Runtime Environment (build pxa6480sr3fp20-20161019_02(SR3 FP20))
IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References 20161013_322271 (JIT enabled, AOT enabled)
J9VM - R28_Java8_SR3_20161013_1635_B322271
JIT - tr.r14.java.green_20161011_125790
GC - R28_Java8_SR3_20161013_1635_B322271_CMPRSS
J9CL - 20161013_322271)
JCL - 20161018_01 based on Oracle jdk8u111-b14
Logs:
[2017-02-09 23:26:03,126][INFO ][node ] [Jackpot] version[2.4.3], pid[2411], build[d38a34e/2016-12-07T16:28:56Z]
[2017-02-09 23:26:03,128][INFO ][node ] [Jackpot] initializing …
[2017-02-09 23:26:04,588][INFO ][com.floragunn.searchguard.ssl.SearchGuardSSLPlugin] Search Guard 2 plugin not available
[2017-02-09 23:26:04,611][INFO ][com.floragunn.searchguard.SearchGuardPlugin] Clustername: elasticsearch
[2017-02-09 23:26:04,611][INFO ][com.floragunn.searchguard.SearchGuardPlugin] Node [null] is a transportClient: false/tribeNode: false/tribeNodeClient: false
[2017-02-09 23:26:04,612][INFO ][plugins ] [Jackpot] modules [reindex, lang-expression, lang-groovy], plugins [search-guard-ssl, search-guard-2], sites
[2017-02-09 23:26:04,651][INFO ][env ] [Jackpot] using [1] data paths, mounts [[/ (rootfs)]], net usable_space [8gb], net total_space [9.9gb], spins? [unknown], types [rootfs]
[2017-02-09 23:26:04,651][INFO ][env ] [Jackpot] heap size [1gb], compressed ordinary object pointers [unknown]
[2017-02-09 23:26:05,986][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] Config directory is /opt/elastic/ElasticSearch/elasticsearch-2.4.3/config/, from there the key- and truststore files are resolved relatively
[2017-02-09 23:26:06,082][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] AES-256 not supported, max key length for AES is 128 bit… That is not an issue, it just limits possible encryption strength. To enable AES 256 install ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’
[2017-02-09 23:26:06,082][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] sslTransportClientProvider:JDK with ciphers
[2017-02-09 23:26:06,083][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] sslTransportServerProvider:JDK with ciphers
[2017-02-09 23:26:06,083][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] sslHTTPProvider:null with ciphers
[2017-02-09 23:26:06,083][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]
[2017-02-09 23:26:06,083][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]
[2017-02-09 23:26:06,373][ERROR][bootstrap ] Exception
ElasticsearchSecurityException[no valid cipher suites for transport protocol]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:155)
at com.floragunn.searchguard.ssl.SearchGuardSSLModule.(SearchGuardSSLModule.java:40)
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:126)
at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)
at org.elasticsearch.node.Node.(Node.java:179)
at org.elasticsearch.node.Node.(Node.java:140)
at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:194)
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:286)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:45)
···
On Tuesday, February 7, 2017 at 2:09:21 PM UTC-5, Search Guard wrote:
- What is your operating system?
- Is it a 32 or 64bit operating system?
- Is your Oracle jdk8u111-b14 a 32 or 64 bit (x86 or x64) version?
- Do you run elasticsearch within a special environment (docker, etc) or within a public or private cloud?
I prepared a special “debug” version, can you pls install this a look for additional errors in the logfiles:
https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-ssl/2.4.3.20-SNAPSHOT/search-guard-ssl-2.4.3.20-20170207.190547-1.zip
On Tuesday, 7 February 2017 19:17:12 UTC+1, Eliran Boraks wrote:
I added searchguard.ssl.transport.enable_openssl_if_available: false and I am getting the same error. Here is the complete output:
[2017-02-07 18:14:50,756][INFO ][node ] [Lady Lark] version[2.4.3], pid[4171], build[d38a34e/2016-12-07T16:28:56Z]
[2017-02-07 18:14:50,761][INFO ][node ] [Lady Lark] initializing …
[2017-02-07 18:14:52,227][INFO ][com.floragunn.searchguard.ssl.SearchGuardSSLPlugin] Search Guard 2 plugin not available
[2017-02-07 18:14:52,237][INFO ][com.floragunn.searchguard.SearchGuardPlugin] Clustername: elasticsearch
[2017-02-07 18:14:52,259][INFO ][com.floragunn.searchguard.SearchGuardPlugin] Node [null] is a transportClient: false/tribeNode: false/tribeNodeClient: false
[2017-02-07 18:14:52,261][INFO ][plugins ] [Lady Lark] modules [reindex, lang-expression, lang-groovy], plugins [search-guard-ssl, search-guard-2], sites
[2017-02-07 18:14:52,306][INFO ][env ] [Lady Lark] using [1] data paths, mounts [[/ (rootfs)]], net usable_space [8gb], net total_space [9.9gb], spins? [unknown], types [rootfs]
[2017-02-07 18:14:52,308][INFO ][env ] [Lady Lark] heap size [1gb], compressed ordinary object pointers [unknown]
[2017-02-07 18:14:53,878][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] Config directory is /opt/elastic/ElasticSearch/elasticsearch-2.4.3/config/, from there the key- and truststore files are resolved relatively
[2017-02-07 18:14:54,044][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] AES-256 not supported, max key length for AES is 128 bit… That is not an issue, it just limits possible encryption strength. To enable AES 256 install ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’
[2017-02-07 18:14:54,045][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] sslTransportClientProvider:JDK with ciphers
[2017-02-07 18:14:54,045][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] sslTransportServerProvider:JDK with ciphers
[2017-02-07 18:14:54,045][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] sslHTTPProvider:null with ciphers
[2017-02-07 18:14:54,045][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]
[2017-02-07 18:14:54,045][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]
Exception in thread “main” ElasticsearchSecurityException[no valid cipher suites for transport protocol]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:154)
at com.floragunn.searchguard.ssl.SearchGuardSSLModule.<init>(SearchGuardSSLModule.java:40)
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:126)
at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)
at org.elasticsearch.node.Node.<init>(Node.java:179)
at org.elasticsearch.node.Node.<init>(Node.java:140)
at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:194)
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:286)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:45)
Refer to the log for complete error details.
On Friday, February 3, 2017 at 11:05:52 AM UTC-5, Search Guard wrote:
Can you provide the logs on INFO level that appeared prior to the error message?
Do you use OpenSSL? Maybe you have an outdated open ssl version installed,
in this case try adding “searchguard.ssl.transport.enable_openssl_if_available: false” to elasticsearch.yml
Am 03.02.2017 um 01:10 schrieb Eliran Boraks ebo...@gmail.com:
I have following the SSL quickstart guide - https://github.com/floragunncom/search-guard-ssl-docs/blob/master/quickstart.md
When starting ES I am getting the error below. Any ideas what I am doing wrong?
ES version 2.4.3
SG-SSL version search-guard-ssl 2.4.3.19
Java 8 based on Oracle jdk8u111-b14
Generated the truststore and keystores using the floragunn site and put them in the [ES-HOME]/config
Add the following to elasticsearch.yml
searchguard.ssl.transport.keystore_filepath: CN=se-01-keystore.jks
searchguard.ssl.transport.keystore_password:
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password:
searchguard.ssl.transport.enforce_hostname_verification: false
When starting ES I am getting the following error. Any ideas what I am doing wrong?
[2017-02-02 23:58:33,385][ERROR][bootstrap ] Exception
ElasticsearchSecurityException[no valid cipher suites for transport protocol]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:154)
at com.floragunn.searchguard.ssl.SearchGuardSSLModule.<init>(SearchGuardSSLModule.java:40)
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:126)
at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)
at org.elasticsearch.node.Node.<init>(Node.java:179)
at org.elasticsearch.node.Node.<init>(Node.java:140)
at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:194)
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:286)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:45)
–
You received this message because you are subscribed to the Google Groups “Search Guard” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/dfb43290-9973-42dc-a634-dd4244e3996c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.