Hey,
ElasticSearch version: 7.13.3
SearchGuard version: 7.13.3-52.1.0
I’m trying to use your provided offline certificate generation tool and here are couple of issues I’ve faced. I guess the tool is working correctly, just the documentation needs to be more clear in couple of places.
- Without having anything in
out/
directory I’m running./sgtlstool.sh -c ../config/example.yml -crt -v
as I assume this should generate everything for me, but when I run it I get:
[root@test-searchguard1 tools]# ./sgtlstool.sh -c ../config/example.yml -crt -v
WARNING: JAVA_HOME not set, will use /usr/bin/java
Executing: com.floragunn.searchguard.tools.tlstool.tasks.Validate@750e2b97
Executing: com.floragunn.searchguard.tools.tlstool.tasks.LoadCa@2eae8e6e
File out/signing-ca.key is encrypted but no password is given. Please specify a password in the configuration file.
No files have been written Exception: com.floragunn.searchguard.tools.tlstool.ToolException: File out/signing-ca.key is encrypted but no password is given. Please specify a password in the configuration file.
at com.floragunn.searchguard.tools.tlstool.tasks.Task.tryConvertObjectToExpectedType(Task.java:267) ~[search-guard-tlstool-1.8.jar:1.8]
at com.floragunn.searchguard.tools.tlstool.tasks.Task.readObjectFromPem(Task.java:232) ~[search-guard-tlstool-1.8.jar:1.8]
at com.floragunn.searchguard.tools.tlstool.tasks.Task.readObjectFromPem(Task.java:212) ~[search-guard-tlstool-1.8.jar:1.8]
at com.floragunn.searchguard.tools.tlstool.tasks.LoadCa.run(LoadCa.java:68) ~[search-guard-tlstool-1.8.jar:1.8]
at com.floragunn.searchguard.tools.tlstool.SearchGuardTlsTool.run(SearchGuardTlsTool.java:213) ~[search-guard-tlstool-1.8.jar:1.8] at com.floragunn.searchguard.tools.tlstool.SearchGuardTlsTool.main(SearchGuardTlsTool.java:61) [search-guard-tlstool-1.8.jar:1.8]
-
To solve that I first run
./sgtlstool.sh -c ../config/example.yml -ca -v
to get the key generated and after that I run previous command. But then I face another issue. I’ve setpkPassword
toauto
both forroot
andintermediate
ca certs and in defaults. But then I get error:File out/signing-ca.key is encrypted but no password is given. Please specify a password in the configuration file.
.
Which again I was able to fix just by setting the same password instead ofauto
in all fields. -
So I’ve finally copied all certificates, added settings to
elasticsearch.yml
, but now upon startup I’m getting following error:
java.lang.IllegalArgumentException: unknown setting [searchguard.ssl.http.pemkey_filepath] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
(I’ve installed the plugin before)
So either I misread something in the docs or it’s partly working or there’s something missing in docs.