KeyStoreException: no key alias named xyz

Hi all,

I have set up the latest stable version of search-guard-ssl (2.3.4.14) and I generated both keystore and truststore by doing:

keytool -importcert -file /etc/elasticsearch/ca.pem -keystore /etc/elasticsearch/truststore.jks -storepass myHappyPass -noprompt -alias myHappyAlias

cat /etc/elasticsearch/chain.pem /etc/elasticsearch/server.key | keytool -importcert -keystore /etc/elasticsearch/keystore.jks -storepass myHappyPassTwo -noprompt -alias keystoreAliasHere

And running this command keytool -list -keystore keystore.jks -alias myHappyAliasHere successfully returns this**:**

myHappyAliasHere, Jun 14, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): …

All my configs are under /etc/elasticsearch only.

So I guess everything is fine on my side, but when I run elasticsearch, I get this:

Exception in thread “main” ElasticsearchSecurityException[Error while initializing transport SSL layer: java.security.KeyStoreException: no key alias named myHappyAliasHere]; nested: KeyStoreException[no key alias named myHappyAliasHere];

Likely root cause: java.security.KeyStoreException: no key alias named myHappyAliasHere
	at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:122)
	at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:211)
	at com.floragunn.searchguard.ssl.SearchGuardKeyStore.<init>(SearchGuardKeyStore.java:139)
	at com.floragunn.searchguard.ssl.SearchGuardSSLModule.<init>(SearchGuardSSLModule.java:29)
	at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:126)
	at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)
	at org.elasticsearch.node.Node.<init>(Node.java:179)
	at org.elasticsearch.node.Node.<init>(Node.java:140)
	at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:178)
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)

Just making sure I'm not doing anything wrong before opening a bug on Github.

Any clues?

Please post your elasticsearch.yml

And it seems like you alias ‘myHappyAliasHere’ refers to a certificate and not to a private key. Maybe you can also post the complete verbose output of ‘keytool -list’

···

On Thursday, 28 July 2016 16:30:25 UTC+2, Breno Inojosa wrote:

Hi all,

I have set up the latest stable version of search-guard-ssl (2.3.4.14) and I generated both keystore and truststore by doing:

keytool -importcert -file /etc/elasticsearch/ca.pem -keystore /etc/elasticsearch/truststore.jks -storepass myHappyPass -noprompt -alias myHappyAlias


cat /etc/elasticsearch/chain.pem /etc/elasticsearch/server.key | keytool -importcert -keystore /etc/elasticsearch/keystore.jks -storepass myHappyPassTwo -noprompt -alias keystoreAliasHere

And running this command keytool -list -keystore keystore.jks -alias myHappyAliasHere successfully returns this**:**

myHappyAliasHere, Jun 14, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): …

All my configs are under /etc/elasticsearch only.

So I guess everything is fine on my side, but when I run elasticsearch, I get this:

Exception in thread “main” ElasticsearchSecurityException[Error while initializing transport SSL layer: java.security.KeyStoreException: no key alias named myHappyAliasHere]; nested: KeyStoreException[no key alias named myHappyAliasHere];

Likely root cause: java.security.KeyStoreException: no key alias named myHappyAliasHere
	at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:122)
	at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:211)
	at com.floragunn.searchguard.ssl.SearchGuardKeyStore.<init>(SearchGuardKeyStore.java:139)
	at com.floragunn.searchguard.ssl.SearchGuardSSLModule.<init>(SearchGuardSSLModule.java:29)
	at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:126)
	at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)
	at org.elasticsearch.node.Node.<init>(Node.java:179)
	at org.elasticsearch.node.Node.<init>(Node.java:140)
	at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:178)
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)


Just making sure I'm not doing anything wrong before opening a bug on Github.


Any clues?

Sorry, as I was replacing the text with fake data, I forgot to keep it consistent:

**myHappyAliasHere is the same as** **keystoreAliasHere**

It's interesting that when I try to generate another keystore with the same alias, it complains about it:
keytool error: java.lang.Exception: Certificate not imported, alias < myHappyAliasHere > already exists


Apart from the regular stuff on my elasticsearch.yml, I have:


searchguard.ssl.transport.enabled: true
searchguard.ssl.http.enabled: false
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: myHappyPass
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: myHappyPass
searchguard.ssl.transport.keystore_filepath: keystore.jks
searchguard.ssl.transport.keystore_password: myHappyPassTwo
searchguard.ssl.http.keystore_filepath: keystore.jks
searchguard.ssl.http.keystore_password: myHappyPassTwo


···

On Thursday, July 28, 2016 at 4:46:56 PM UTC-3, in...@search-guard.com wrote:

Please post your elasticsearch.yml

And it seems like you alias ‘myHappyAliasHere’ refers to a certificate and not to a private key. Maybe you can also post the complete verbose output of ‘keytool -list’

On Thursday, 28 July 2016 16:30:25 UTC+2, Breno Inojosa wrote:

Hi all,

I have set up the latest stable version of search-guard-ssl (2.3.4.14) and I generated both keystore and truststore by doing:

keytool -importcert -file /etc/elasticsearch/ca.pem -keystore /etc/elasticsearch/truststore.jks -storepass myHappyPass -noprompt -alias myHappyAlias


cat /etc/elasticsearch/chain.pem /etc/elasticsearch/server.key | keytool -importcert -keystore /etc/elasticsearch/keystore.jks -storepass myHappyPassTwo -noprompt -alias keystoreAliasHere

And running this command keytool -list -keystore keystore.jks -alias myHappyAliasHere successfully returns this**:**

myHappyAliasHere, Jun 14, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): …

All my configs are under /etc/elasticsearch only.

So I guess everything is fine on my side, but when I run elasticsearch, I get this:

Exception in thread “main” ElasticsearchSecurityException[Error while initializing transport SSL layer: java.security.KeyStoreException: no key alias named myHappyAliasHere]; nested: KeyStoreException[no key alias named myHappyAliasHere];

Likely root cause: java.security.KeyStoreException: no key alias named myHappyAliasHere
	at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:122)
	at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:211)
	at com.floragunn.searchguard.ssl.SearchGuardKeyStore.<init>(SearchGuardKeyStore.java:139)
	at com.floragunn.searchguard.ssl.SearchGuardSSLModule.<init>(SearchGuardSSLModule.java:29)
	at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:126)
	at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)
	at org.elasticsearch.node.Node.<init>(Node.java:179)
	at org.elasticsearch.node.Node.<init>(Node.java:140)
	at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:178)
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)


Just making sure I'm not doing anything wrong before opening a bug on Github.


Any clues?

keytool -list gave me this:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

myHappyAliasHere, Jul 28, 2016, trustedCertEntry,

Certificate fingerprint (SHA1): …

···

On Thursday, July 28, 2016 at 5:41:50 PM UTC-3, Breno Inojosa wrote:

Sorry, as I was replacing the text with fake data, I forgot to keep it consistent:

**myHappyAliasHere is the same as** **keystoreAliasHere**

It's interesting that when I try to generate another keystore with the same alias, it complains about it:
keytool error: java.lang.Exception: Certificate not imported, alias < myHappyAliasHere > already exists


Apart from the regular stuff on my elasticsearch.yml, I have:


searchguard.ssl.transport.
enabled: true
searchguard.ssl.http.enabled: false
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.
resolve_hostname: false
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.
truststore_password: myHappyPass
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.
truststore_password: myHappyPass
searchguard.ssl.transport.keystore_filepath: keystore.jks
searchguard.ssl.transport.keystore_password: myHappyPassTwo
searchguard.ssl.http.keystore_filepath: keystore.jks
searchguard.ssl.http.keystore_password: myHappyPassTwo



On Thursday, July 28, 2016 at 4:46:56 PM UTC-3, in...@search-guard.com wrote:

Please post your elasticsearch.yml

And it seems like you alias ‘myHappyAliasHere’ refers to a certificate and not to a private key. Maybe you can also post the complete verbose output of ‘keytool -list’

On Thursday, 28 July 2016 16:30:25 UTC+2, Breno Inojosa wrote:

Hi all,

I have set up the latest stable version of search-guard-ssl (2.3.4.14) and I generated both keystore and truststore by doing:

keytool -importcert -file /etc/elasticsearch/ca.pem -keystore /etc/elasticsearch/truststore.jks -storepass myHappyPass -noprompt -alias myHappyAlias


cat /etc/elasticsearch/chain.pem /etc/elasticsearch/server.key | keytool -importcert -keystore /etc/elasticsearch/keystore.jks -storepass myHappyPassTwo -noprompt -alias keystoreAliasHere

And running this command keytool -list -keystore keystore.jks -alias myHappyAliasHere successfully returns this**:**

myHappyAliasHere, Jun 14, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): …

All my configs are under /etc/elasticsearch only.

So I guess everything is fine on my side, but when I run elasticsearch, I get this:

Exception in thread “main” ElasticsearchSecurityException[Error while initializing transport SSL layer: java.security.KeyStoreException: no key alias named myHappyAliasHere]; nested: KeyStoreException[no key alias named myHappyAliasHere];

Likely root cause: java.security.KeyStoreException: no key alias named myHappyAliasHere
	at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:122)
	at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:211)
	at com.floragunn.searchguard.ssl.SearchGuardKeyStore.<init>(SearchGuardKeyStore.java:139)
	at com.floragunn.searchguard.ssl.SearchGuardSSLModule.<init>(SearchGuardSSLModule.java:29)
	at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:126)
	at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)
	at org.elasticsearch.node.Node.<init>(Node.java:179)
	at org.elasticsearch.node.Node.<init>(Node.java:140)
	at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:178)
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)


Just making sure I'm not doing anything wrong before opening a bug on Github.


Any clues?

Though I still want to understand why it’s not working this way, I have found that converting my key to PKCS12 and then to JKS works.

···

On Thursday, July 28, 2016 at 6:23:47 PM UTC-3, Breno Inojosa wrote:

keytool -list gave me this:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

myHappyAliasHere, Jul 28, 2016, trustedCertEntry,

Certificate fingerprint (SHA1): …

On Thursday, July 28, 2016 at 5:41:50 PM UTC-3, Breno Inojosa wrote:

Sorry, as I was replacing the text with fake data, I forgot to keep it consistent:

**myHappyAliasHere is the same as** **keystoreAliasHere**

It's interesting that when I try to generate another keystore with the same alias, it complains about it:
keytool error: java.lang.Exception: Certificate not imported, alias < myHappyAliasHere > already exists


Apart from the regular stuff on my elasticsearch.yml, I have:


searchguard.ssl.transport.
enabled: true
searchguard.ssl.http.enabled: false
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.
resolve_hostname: false
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.
truststore_password: myHappyPass
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.
truststore_password: myHappyPass
searchguard.ssl.transport.keystore_filepath: keystore.jks
searchguard.ssl.transport.keystore_password: myHappyPassTwo
searchguard.ssl.http.keystore_filepath: keystore.jks
searchguard.ssl.http.keystore_password: myHappyPassTwo



On Thursday, July 28, 2016 at 4:46:56 PM UTC-3, in...@search-guard.com wrote:

Please post your elasticsearch.yml

And it seems like you alias ‘myHappyAliasHere’ refers to a certificate and not to a private key. Maybe you can also post the complete verbose output of ‘keytool -list’

On Thursday, 28 July 2016 16:30:25 UTC+2, Breno Inojosa wrote:

Hi all,

I have set up the latest stable version of search-guard-ssl (2.3.4.14) and I generated both keystore and truststore by doing:

keytool -importcert -file /etc/elasticsearch/ca.pem -keystore /etc/elasticsearch/truststore.jks -storepass myHappyPass -noprompt -alias myHappyAlias


cat /etc/elasticsearch/chain.pem /etc/elasticsearch/server.key | keytool -importcert -keystore /etc/elasticsearch/keystore.jks -storepass myHappyPassTwo -noprompt -alias keystoreAliasHere

And running this command keytool -list -keystore keystore.jks -alias myHappyAliasHere successfully returns this**:**

myHappyAliasHere, Jun 14, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): …

All my configs are under /etc/elasticsearch only.

So I guess everything is fine on my side, but when I run elasticsearch, I get this:

Exception in thread “main” ElasticsearchSecurityException[Error while initializing transport SSL layer: java.security.KeyStoreException: no key alias named myHappyAliasHere]; nested: KeyStoreException[no key alias named myHappyAliasHere];

Likely root cause: java.security.KeyStoreException: no key alias named myHappyAliasHere
	at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:122)
	at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:211)
	at com.floragunn.searchguard.ssl.SearchGuardKeyStore.<init>(SearchGuardKeyStore.java:139)
	at com.floragunn.searchguard.ssl.SearchGuardSSLModule.<init>(SearchGuardSSLModule.java:29)
	at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:126)
	at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)
	at org.elasticsearch.node.Node.<init>(Node.java:179)
	at org.elasticsearch.node.Node.<init>(Node.java:140)
	at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:178)
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)


Just making sure I'm not doing anything wrong before opening a bug on Github.


Any clues?

i’m getting this with sg-ssl-v2.3.5.15. Is there a fix? I’ve tried using the PKC512 type to no avail.

Chris

···

On Thursday, July 28, 2016 at 10:30:25 AM UTC-4, Breno Inojosa wrote:

Hi all,

I have set up the latest stable version of search-guard-ssl (2.3.4.14) and I generated both keystore and truststore by doing:

keytool -importcert -file /etc/elasticsearch/ca.pem -keystore /etc/elasticsearch/truststore.jks -storepass myHappyPass -noprompt -alias myHappyAlias


cat /etc/elasticsearch/chain.pem /etc/elasticsearch/server.key | keytool -importcert -keystore /etc/elasticsearch/keystore.jks -storepass myHappyPassTwo -noprompt -alias keystoreAliasHere

And running this command keytool -list -keystore keystore.jks -alias myHappyAliasHere successfully returns this**:**

myHappyAliasHere, Jun 14, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): …

All my configs are under /etc/elasticsearch only.

So I guess everything is fine on my side, but when I run elasticsearch, I get this:

Exception in thread “main” ElasticsearchSecurityException[Error while initializing transport SSL layer: java.security.KeyStoreException: no key alias named myHappyAliasHere]; nested: KeyStoreException[no key alias named myHappyAliasHere];

Likely root cause: java.security.KeyStoreException: no key alias named myHappyAliasHere
	at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:122)
	at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:211)
	at com.floragunn.searchguard.ssl.SearchGuardKeyStore.<init>(SearchGuardKeyStore.java:139)
	at com.floragunn.searchguard.ssl.SearchGuardSSLModule.<init>(SearchGuardSSLModule.java:29)
	at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:126)
	at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)
	at org.elasticsearch.node.Node.<init>(Node.java:179)
	at org.elasticsearch.node.Node.<init>(Node.java:140)
	at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:178)
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)


Just making sure I'm not doing anything wrong before opening a bug on Github.


Any clues?

Hi,

I have the same issue. I have my own-created certs, keystore and truststore. Keytool shows the alias from the keystore but the elasticsearch complains that it could not find the alias i mentioned. Here are my configs:

elasticsearch.yml

######## Start Search Guard Demo Configuration ########

searchguard.ssl.transport.keystore_filepath: keystore.jks

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_alias: root-ca

searchguard.ssl.transport.keystore_alias: elastic

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: keystore.jks

searchguard.ssl.http.keystore_alias: elastic

searchguard.ssl.http.truststore_alias: root-ca

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.authcz.admin_dn:

  • CN=marry,OU=Openstack,O=Cloud9 Networks FZE,L=DSO, C=AE

cluster.name: ES_demo

network.host: 0.0.0.0

######## End Search Guard Demo Configuration ########

[root@util tools]# keytool -list -v -keystore /etc/elasticsearch/keystore.jks -alias elastic

Enter keystore password:

Alias name: elastic

Creation date: Jun 14, 2017

Entry type: trustedCertEntry

Owner: EMAILADDRESS=abc@domain.com, CN=abc, OU=unit, O=org, L=cqg, ST=a, C=s

Issuer: ***************************************

Serial number: 1001

Valid from: Wed Jun 14 16:00:19 EDT 2017 until: Sun May 13 16:00:19 EDT 2018

Certificate fingerprints:

···

Extensions:

#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false

#2: ObjectId: 2.5.29.35 Criticality=false

#3: ObjectId: 2.5.29.19 Criticality=false

#4: ObjectId: 2.5.29.37 Criticality=false

#5: ObjectId: 2.5.29.15 Criticality=true

#6: ObjectId: 2.16.840.1.113730.1.1 Criticality=false

#7: ObjectId: 2.5.29.14 Criticality=false


Elasticsearch log

[2017-06-14T18:26:33,166][ERROR][c.f.s.s.u.SSLCertificateHelper] Alias elastic does not exists or contain hold a certificate chain

[2017-06-14T18:26:33,232][ERROR][o.e.b.Bootstrap ] Exception

org.elasticsearch.ElasticsearchException: Failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:430) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:383) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:139) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.node.Node.<init>(Node.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap$6.<init>(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) [elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) [elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:114) [elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:67) [elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) [elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.cli.Command.main(Command.java:88) [elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91) [elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84) [elasticsearch-5.4.0.jar:5.4.0]

Caused by: java.lang.reflect.InvocationTargetException

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:419) ~[elasticsearch-5.4.0.jar:5.4.0]

... 14 more

Caused by: org.elasticsearch.ElasticsearchSecurityException: Error while initializing transport SSL layer: java.security.KeyStoreException: no key alias named elastic

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:261) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:150) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:205) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:419) ~[elasticsearch-5.4.0.jar:5.4.0]

... 14 more

Caused by: java.security.KeyStoreException: no key alias named elastic

at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:136) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:227) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:150) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:205) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:419) ~[elasticsearch-5.4.0.jar:5.4.0]

... 14 more

[2017-06-14T18:26:33,241][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: ElasticsearchException[Failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]]; nested: InvocationTargetException; nested: ElasticsearchSecurityException[Error while initializing transport SSL layer: java.security.KeyStoreException: no key alias named elastic]; nested: KeyStoreException[no key alias named elastic];

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:127) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:114) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:67) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.cli.Command.main(Command.java:88) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84) ~[elasticsearch-5.4.0.jar:5.4.0]

Caused by: org.elasticsearch.ElasticsearchException: Failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:430) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:383) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:139) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.node.Node.<init>(Node.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap$6.<init>(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) ~[elasticsearch-5.4.0.jar:5.4.0]

... 6 more

Caused by: java.lang.reflect.InvocationTargetException

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:419) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:383) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:139) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.node.Node.<init>(Node.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap$6.<init>(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) ~[elasticsearch-5.4.0.jar:5.4.0]

... 6 more

Caused by: org.elasticsearch.ElasticsearchSecurityException: Error while initializing transport SSL layer: java.security.KeyStoreException: no key alias named elastic

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:261) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:150) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:205) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:419) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:383) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:139) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.node.Node.<init>(Node.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap$6.<init>(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) ~[elasticsearch-5.4.0.jar:5.4.0]

... 6 more

Caused by: java.security.KeyStoreException: no key alias named elastic

at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:136) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:227) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:150) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:205) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:419) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:383) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:139) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.node.Node.<init>(Node.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap$6.<init>(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) ~[elasticsearch-5.4.0.jar:5.4.0]

... 6 more

``

I don’t know why isn’t it picking up the alias.

On Friday, September 9, 2016 at 11:49:05 PM UTC+4, ZillaYT wrote:

i’m getting this with sg-ssl-v2.3.5.15. Is there a fix? I’ve tried using the PKC512 type to no avail.

Chris

On Thursday, July 28, 2016 at 10:30:25 AM UTC-4, Breno Inojosa wrote:

Hi all,

I have set up the latest stable version of search-guard-ssl (2.3.4.14) and I generated both keystore and truststore by doing:

keytool -importcert -file /etc/elasticsearch/ca.pem -keystore /etc/elasticsearch/truststore.jks -storepass myHappyPass -noprompt -alias myHappyAlias


cat /etc/elasticsearch/chain.pem /etc/elasticsearch/server.key | keytool -importcert -keystore /etc/elasticsearch/keystore.jks -storepass myHappyPassTwo -noprompt -alias keystoreAliasHere

And running this command keytool -list -keystore keystore.jks -alias myHappyAliasHere successfully returns this**:**

myHappyAliasHere, Jun 14, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): …

All my configs are under /etc/elasticsearch only.

So I guess everything is fine on my side, but when I run elasticsearch, I get this:

Exception in thread “main” ElasticsearchSecurityException[Error while initializing transport SSL layer: java.security.KeyStoreException: no key alias named myHappyAliasHere]; nested: KeyStoreException[no key alias named myHappyAliasHere];

Likely root cause: java.security.KeyStoreException: no key alias named myHappyAliasHere
	at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:122)
	at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:211)
	at com.floragunn.searchguard.ssl.SearchGuardKeyStore.<init>(SearchGuardKeyStore.java:139)
	at com.floragunn.searchguard.ssl.SearchGuardSSLModule.<init>(SearchGuardSSLModule.java:29)
	at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:126)
	at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)
	at org.elasticsearch.node.Node.<init>(Node.java:179)
	at org.elasticsearch.node.Node.<init>(Node.java:140)
	at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:178)
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)


Just making sure I'm not doing anything wrong before opening a bug on Github.


Any clues?

hi,
where you able to find a fix to this issue ?

i also facing the similar error.

···

On Thursday, June 15, 2017 at 4:10:55 AM UTC+5:30, Umair Hassan wrote:

Hi,

I have the same issue. I have my own-created certs, keystore and truststore. Keytool shows the alias from the keystore but the elasticsearch complains that it could not find the alias i mentioned. Here are my configs:

elasticsearch.yml

######## Start Search Guard Demo Configuration ########

searchguard.ssl.transport.keystore_filepath: keystore.jks

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_alias: root-ca

searchguard.ssl.transport.keystore_alias: elastic

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: keystore.jks

searchguard.ssl.http.keystore_alias: elastic

searchguard.ssl.http.truststore_alias: root-ca

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.authcz.admin_dn:

  • CN=marry,OU=Openstack,O=Cloud9 Networks FZE,L=DSO, C=AE

cluster.name: ES_demo

network.host: 0.0.0.0

######## End Search Guard Demo Configuration ########

[root@util tools]# keytool -list -v -keystore /etc/elasticsearch/keystore.jks -alias elastic

Enter keystore password:

Alias name: elastic

Creation date: Jun 14, 2017

Entry type: trustedCertEntry

Owner: EMAILADDRESS=a...@domain.com, CN=abc, OU=unit, O=org, L=cqg, ST=a, C=s

Issuer: ***************************************

Serial number: 1001

Valid from: Wed Jun 14 16:00:19 EDT 2017 until: Sun May 13 16:00:19 EDT 2018

Certificate fingerprints:


Extensions:

#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false

#2: ObjectId: 2.5.29.35 Criticality=false

#3: ObjectId: 2.5.29.19 Criticality=false

#4: ObjectId: 2.5.29.37 Criticality=false

#5: ObjectId: 2.5.29.15 Criticality=true

#6: ObjectId: 2.16.840.1.113730.1.1 Criticality=false

#7: ObjectId: 2.5.29.14 Criticality=false

[2017-06-14T18:26:33,166][ERROR][c.f.s.s.u.SSLCertificateHelper] Alias elastic does not exists or contain hold a certificate chain

[2017-06-14T18:26:33,232][ERROR][o.e.b.Bootstrap ] Exception

org.elasticsearch.ElasticsearchException: Failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:430) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:383) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:139) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.node.Node.(Node.java:309) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.node.Node.(Node.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap$6.(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) [elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) [elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:114) [elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:67) [elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) [elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.cli.Command.main(Command.java:88) [elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91) [elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84) [elasticsearch-5.4.0.jar:5.4.0]

Caused by: java.lang.reflect.InvocationTargetException

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:419) ~[elasticsearch-5.4.0.jar:5.4.0]

… 14 more

Caused by: org.elasticsearch.ElasticsearchSecurityException: Error while initializing transport SSL layer: java.security.KeyStoreException: no key alias named elastic

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:261) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:150) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:205) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:419) ~[elasticsearch-5.4.0.jar:5.4.0]

… 14 more

Caused by: java.security.KeyStoreException: no key alias named elastic

at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:136) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:227) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:150) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:205) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:419) ~[elasticsearch-5.4.0.jar:5.4.0]

… 14 more

[2017-06-14T18:26:33,241][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: ElasticsearchException[Failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]]; nested: InvocationTargetException; nested: ElasticsearchSecurityException[Error while initializing transport SSL layer: java.security.KeyStoreException: no key alias named elastic]; nested: KeyStoreException[no key alias named elastic];

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:127) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:114) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:67) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.cli.Command.main(Command.java:88) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84) ~[elasticsearch-5.4.0.jar:5.4.0]

Caused by: org.elasticsearch.ElasticsearchException: Failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:430) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:383) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:139) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.node.Node.(Node.java:309) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.node.Node.(Node.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap$6.(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) ~[elasticsearch-5.4.0.jar:5.4.0]

… 6 more

Caused by: java.lang.reflect.InvocationTargetException

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:419) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:383) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:139) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.node.Node.(Node.java:309) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.node.Node.(Node.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap$6.(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) ~[elasticsearch-5.4.0.jar:5.4.0]

… 6 more

Caused by: org.elasticsearch.ElasticsearchSecurityException: Error while initializing transport SSL layer: java.security.KeyStoreException: no key alias named elastic

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:261) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:150) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:205) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:419) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:383) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:139) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.node.Node.(Node.java:309) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.node.Node.(Node.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap$6.(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) ~[elasticsearch-5.4.0.jar:5.4.0]

… 6 more

Caused by: java.security.KeyStoreException: no key alias named elastic

at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:136) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:227) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:150) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:205) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:419) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:383) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:139) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.node.Node.(Node.java:309) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.node.Node.(Node.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap$6.(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) ~[elasticsearch-5.4.0.jar:5.4.0]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) ~[elasticsearch-5.4.0.jar:5.4.0]

… 6 more


Elasticsearch log

``

I don’t know why isn’t it picking up the alias.

On Friday, September 9, 2016 at 11:49:05 PM UTC+4, ZillaYT wrote:

i’m getting this with sg-ssl-v2.3.5.15. Is there a fix? I’ve tried using the PKC512 type to no avail.

Chris

On Thursday, July 28, 2016 at 10:30:25 AM UTC-4, Breno Inojosa wrote:

Hi all,

I have set up the latest stable version of search-guard-ssl (2.3.4.14) and I generated both keystore and truststore by doing:

keytool -importcert -file /etc/elasticsearch/ca.pem -keystore /etc/elasticsearch/truststore.jks -storepass myHappyPass -noprompt -alias myHappyAlias


cat /etc/elasticsearch/chain.pem /etc/elasticsearch/server.key | keytool -importcert -keystore /etc/elasticsearch/keystore.jks -storepass myHappyPassTwo -noprompt -alias keystoreAliasHere

And running this command keytool -list -keystore keystore.jks -alias myHappyAliasHere successfully returns this**:**

myHappyAliasHere, Jun 14, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): …

All my configs are under /etc/elasticsearch only.

So I guess everything is fine on my side, but when I run elasticsearch, I get this:

Exception in thread “main” ElasticsearchSecurityException[Error while initializing transport SSL layer: java.security.KeyStoreException: no key alias named myHappyAliasHere]; nested: KeyStoreException[no key alias named myHappyAliasHere];

Likely root cause: java.security.KeyStoreException: no key alias named myHappyAliasHere
	at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:122)
	at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:211)
	at com.floragunn.searchguard.ssl.SearchGuardKeyStore.<init>(SearchGuardKeyStore.java:139)
	at com.floragunn.searchguard.ssl.SearchGuardSSLModule.<init>(SearchGuardSSLModule.java:29)
	at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:126)
	at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)
	at org.elasticsearch.node.Node.<init>(Node.java:179)
	at org.elasticsearch.node.Node.<init>(Node.java:140)
	at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:178)
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)


Just making sure I'm not doing anything wrong before opening a bug on Github.


Any clues?