How to delete or modify settings for searchguard index

If you think it is a bug report or you have a technical issue, please answer the following questions. For general questions, you can delete these questions.

Elasticsearch version: 6.8.2
SG version 6-6.8.2-25-5

Describe the issue:
After disk fulfillment all indices went to
“blocks” : {
“read_only_allow_delete” : “true”
as well as searchguard index.
I have extended disk space but also I need to remove this block with
‘{ “index.blocks.read_only_allow_delete”: null }’

I tried to make a curl with admin certificate but got

curl -k   --cert certificate.pem   --key mydomain.key    -XPUT "http://localhost:9200/_all/_settings"   -H 'Content-Type: application/json'   -d '{ "index.blocks.read_only_allow_delete": null }'

Also I tried to use to remove searchguard index but

 ${SG_PLUGIN_DIR}/tools/ -ts ${ES_STORE_DIR}/truststore.jks -tspass changeit   -ks ${ES_STORE_DIR}/broker.jks -kspass changeit   -dci -nhnv
Search Guard Admin v6
Will connect to localhost:9300 ... done
Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{JayJ2ve0RkitYofJmXQXVw}{localhost}{}]
ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{JayJ2ve0RkitYofJmXQXVw}{localhost}{}]]
        at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(
        at org.elasticsearch.client.transport.TransportClientNodesService.execute(
        at org.elasticsearch.client.transport.TransportProxyClient.execute(
        at org.elasticsearch.client.transport.TransportClient.doExecute(

Provide configuration:

  logs: "/var/vcap/sys/log/elasticsearch"
  data: "/var/vcap/store/elasticsearch"
  repo: "/var/vcap/store/elasticsearch"

bootstrap.memory_lock: true es_cluster false
searchguard.enterprise_modules_enabled: false
searchguard.enable_snapshot_restore_privilege: true

    - CN=broker,OU=client,O=client,L=test, C=DE
      keystore_filepath: nodename-keystore.jks
      keystore_password: changeit
      truststore_filepath: truststore.jks
      truststore_password: changeit
      enforce_hostname_verification: false


    # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
    # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
    # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
    #filtered_alias_mode: warn
      # Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
      # see
      # To make this work you need to install
      #multitenancy_enabled: true
      #server_username: kibanaserver
      #index: '.kibana'
      #do_not_fail_on_forbidden: false
      anonymous_auth_enabled: false
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
        #internalProxies: '.*' # trust all internal proxies, regex pattern
        remoteIpHeader:  'x-forwarded-for'
        proxiesHeader:   'x-forwarded-by'
        #trustedProxies: '.*' # trust all external proxies, regex pattern
        ###### see for regex help
        ###### more information about XFF
        ###### and here
        ###### and
        http_enabled: true
        transport_enabled: true
        order: 4
          type: basic
          challenge: true
          type: intern

Hi. The curl option -k, --insecure makes every TLS connection secure by ignoring the verification phase. You shouldn’t use it if you provide the certificates. And you need to provide the root CA certificate to make it work. Also, execute the curl command in the verbose mode to display the connection details.

For example

curl -v \
  --cert /path/to/certificate.pem  \
  --key /path/to/mydomain.key \
  --cacert /path/to/root-ca.pem  \
  -XPUT "http://localhost:9200/_all/_settings" \
  -H 'Content-Type: application/json' \
  -d '{ "index.blocks.read_only_allow_delete": null }'

P.S. Make sure the certificates can be reached via the specified path.

I have extracted certs from broker.jks keystore that I used for cofniguration SG

${SG_PLUGIN_DIR}/tools/ \
  -ts ${ES_STORE_DIR}/truststore.jks -tspass changeit \
  -ks ${ES_STORE_DIR}/broker.jks -kspass changeit \
  -cd ${SG_CONFIG_DIR}/sgconfig -icl -nhnv
curl -v   --cert certificate.pem    --key mydomain.key   --cacert root.crt    -XPUT "http://localhost:9200/_all/_settings"   -H 'Content-Type: application/json'   -d '{ "index.blocks.read_only_allow_delete": null }'
*   Trying
* Connected to localhost ( port 9200 (#0)
> PUT /_all/_settings HTTP/1.1
> Host: localhost:9200
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 47
* upload completely sent off: 47 out of 47 bytes
< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Basic realm="Search Guard"
< content-type: text/plain; charset=UTF-8
< content-length: 12
* Connection #0 to host localhost left intact

Do you see any error in the Elasticsearch log?

no. I made tail -f for es_cluster.log and made curl. any new line…

I see we both did a typo in the curl command. It should be HTTPS: -XPUT "https://localhost:9200/_all/_settings". I tried the command locally on my machine and got {"acknowledged":true}.

curl -v \
>   --cert certificate.pem  \
>   --key mydomain.key \
>   --cacert root-ca.crt  \
>   -XPUT "https://localhost:9200/_all/_settings" \
>   -H 'Content-Type: application/json' \
>   -d '{ "index.blocks.read_only_allow_delete": null }'
*   Trying
* Connected to localhost ( port 9200 (#0)
* found 1 certificates in root-ca.crt
* found 516 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: An unexpected TLS packet was received.
* Closing connection 0
curl: (35) gnutls_handshake() failed: An unexpected TLS packet was received.

how many certs you has in * found 1 certificates in root-ca.crt

Please look at the Elasticsearch logs now and paste it here if there is any error.

still nothing…

It sounds like the root-ca.crt is wrong.

I looked at your elasticsearch.yml again and saw no searchguard.ssl.http configuration? Did you cut the config by accident when you paste it or you really don’t have searchguard.ssl.http?

I don’t have searchguard.ssl.http at all
- CN=broker,OU=client,O=client,L=test, C=DE
make to sense without Configuring TLS | Elasticsearch Security | Search Guard configuration ?

Now it looks like that false
searchguard.enterprise_modules_enabled: true #- ----- set this to test REST API access
searchguard.enable_snapshot_restore_privilege: true
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: broker.jks
searchguard.restapi.roles_enabled: [“sg_all_access,admin”]
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.clientauth_mode: OPTIONAL
- CN=broker,OU=client,O=client,L=test, C=DE

Ok, did you try the curl command with this new configuration? What was the result? Check the Elasticsearch log for errors if the result is not {"acknowledged":true}.

This works!!! Thank you very much

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.