Elasticsearch version:
7.14.1
Server OS version:
Centos 7 / Using Docker containers GitHub - deviantony/docker-elk at searchguard

Describe the issue:
If I try to run sgadmin.sh on the docker container to add new users I get the following error.

Will connect to localhost:9300 … done
ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
Trace:
java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:718)
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:114)
at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:103)
at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:128)
at org.elasticsearch.client.transport.TransportClient.(TransportClient.java:271)
at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.(SearchGuardAdmin.java:1088)
at com.floragunn.searchguard.tools.SearchGuardAdmin.execute(SearchGuardAdmin.java:612)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:157)
Caused by: java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:78)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:709)
… 7 more
Caused by: ElasticsearchSecurityException[Error while initializing transport SSL layer from PEM: java.security.cert.CertificateException: No certificate data found]; nested: CertificateException[No certificate data found];
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initTransportSSLConfig(DefaultSearchGuardKeyStore.java:399)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:254)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:175)
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:202)
at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:246)
… 13 more
Caused by: java.security.cert.CertificateException: No certificate data found
at java.base/sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:461)
at java.base/sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:361)
at java.base/java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:478)
at com.floragunn.searchguard.support.PemKeyReader.loadCertificatesFromFile(PemKeyReader.java:196)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initTransportSSLConfig(DefaultSearchGuardKeyStore.java:372)
… 17 more

1. I created the tls certificates using the search-guard offline tool.
2. added the certificates and enabled the ssl for transport with no isues.

Provide configuration:
elasticsearch/config/elasticsearch.yml

Default Elasticsearch configuration from Elasticsearch base image.

elasticsearch/elasticsearch.yml at main · elastic/elasticsearch · GitHub

cluster.name: “docker-cluster”
network.host: 0.0.0.0

X-Pack settings

see https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-xpack.html

xpack.license.self_generated.type: basic
xpack.security.enabled: false

Search Guard

searchguard.enterprise_modules_enabled: false

searchguard.ssl.transport.pemcert_filepath: /usr/share/elasticsearch/config/node1.pem
searchguard.ssl.transport.pemkey_filepath: /usr/share/elasticsearch/config/node1.key
searchguard.ssl.transport.pemkey_password: XXXXXXXXXXXX
searchguard.ssl.transport.pemtrustedcas_filepath: /usr/share/elasticsearch/config/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: /usr/share/elasticsearch/config/node1.pem
searchguard.ssl.http.pemkey_filepath: /usr/share/elasticsearch/config/node1.key
searchguard.ssl.http.pemkey_password: XXXXXXXXXXXX
searchguard.ssl.http.pemtrustedcas_filepath: /usr/share/elasticsearch/config/root-ca.pem
searchguard.authcz.admin_dn:

• CN=admin.example.com,OU=Ops,O=example Com, Inc.,DC=example,DC=com

SGadmin command used
./sgadmin.sh -cd /usr/share/elasticsearch/config/sg/ -cacert /usr/share/elasticsearch/config/root-ca.pem -cert /usr/share/elasticsearch/config/admin.pem -key /usr/share/elasticsearch/config/admin.key -keypass XXXXXXXXXX -nhnv -icl

@Mmatos
There are a couple of things to check:

You can verify the certificate chain with below command:

openssl verify -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem

You can also connect to one of the containers and verify that the same exact certificates are mapped in container and those are being used in elasticsearch.yml.

The last thing, you can check is whether the subject line in certificate matches the admin_dn section in elasticsearch.yml.
The simplest way to get the exact line from certificate if you run below command:

openssl x509 -subject -nameopt RFC2253 -noout -in node.pem

string after "subject= " should match exactly

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.