Export sgadmin certs from truststore to pem - Failed to create new users and roles

I have the same problem as described in the link below with locking out of SearchGuard while running out of disk space - searchguard index marked as read-only, and I cannot make any updates to it

I have an access to the truststore and keystore, how can I export certificates to PEM format so the certs can be used by mentioned curl command?

curl -k \
--cert "/path/to/admin-cert.pem" \
--key "/path/to/admin-key.pem"  \
-XPUT "https://sgssl-0.example.com:9200/_all/_settings" \
-H 'Content-Type: application/json' \
-d '{ "index.blocks.read_only_allow_delete": null }'

I’ve managed to convert certs from keystore to PEM, but still no luck

keytool -importkeystore -srckeystore elasticsearch-01-keystore.jks -destkeystore elasticsearch-01-keystore.p12 -srcstoretype jks -deststoretype pkcs12
openssl pkcs12 -in elasticsearch-01-keystore.p12 -out ca.pem -cacerts -nokeys
openssl pkcs12 -in elasticsearch-01-keystore.p12 -out client.pem -clcerts -nokeys 
openssl pkcs12 -in elasticsearch-01-keystore.p12 -out key.pem -nocerts
curl -ivk --cacert ca.pem \
--cert client.pem --key key.pem \
-XPUT -H "Content-Type: application/json" https://localhost:9200/_all/_settings \
-d '{ "index.blocks.read_only_allow_delete": null }'

the curl output is

* Connected to localhost ( port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: ca.pem
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=COM; OU=SSL; CN=elasticsearch-01
*  start date: Jan  2 13:12:51 2019 GMT
*  expire date: Jan  1 13:12:51 2021 GMT
Signing CA
*  SSL certificate verify ok.
> PUT /_all/_settings HTTP/1.1
> Host: localhost:9200
> User-Agent: curl/7.64.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 47
* upload completely sent off: 47 out of 47 bytes
< HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Basic realm="Search Guard"
WWW-Authenticate: Basic realm="Search Guard"
< content-type: text/plain; charset=UTF-8
content-type: text/plain; charset=UTF-8
< content-length: 12
content-length: 12

managed to resolve it - removed searchguard index by running sgadmin with -dci key and re-created it by running sgadmin as usual (updating SG config)

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.