Search Guard certificate error

I am running Elasticsearch 6.1.1 and Search Guard 6.1. I have created certificates and keys and edited the elasticsearch.yml file. I am getting the error below. The key is in pkcs8 format. I saw another post about that. This error in the logs happens when I try to start the elasticsearch service. Any help would be greatly appreciated.

search guard config in elasticsearch.yml (The password is the password used with the creation of the cert.)

searchguard.ssl.transport.pemcert_filepath: elkstack.cert.pem
searchguard.ssl.transport.pemkey_filepath: elkstack.key.pem
searchguard.ssl.transport.pemkey_password: ***********************************
searchguard.ssl.transport.pemtrustedcas_filepath: ca-chain.cert.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: elkstack.cert.pem
searchguard.ssl.http.pemkey_filepath: elkstack.key.pem
searchguard.ssl.http.pemkey_password: *****************************
searchguard.ssl.http.pemtrustedcas_filepath: ca-chain.cert.pem

elasticsearch.log:

Caused by: org.elasticsearch.ElasticsearchSecurityException: Error while initializing transport SSL layer from PEM: java.lang.IllegalArgumentException: File does not contain valid private key: /etc/elasticsearch/jhelkstack.key.pem
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:292) ~[?:?]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:145) ~[?:?]
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:192) ~[?:?]
at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:182) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_152]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:392) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:142) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.node.Node.(Node.java:302) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.node.Node.(Node.java:245) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:212) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:322) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.1.1.jar:6.1.1]
… 6 more
Caused by: java.lang.IllegalArgumentException: File does not contain valid private key: /etc/elasticsearch/jhelkstack.key.pem
at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:267) ~[?:?]
at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:90) ~[?:?]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.buildSSLServerContext(DefaultSearchGuardKeyStore.java:613) ~[?:?]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:287) ~[?:?]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:145) ~[?:?]
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:192) ~[?:?]
at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:182) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_152]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:392) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:142) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.node.Node.(Node.java:302) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.node.Node.(Node.java:245) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:212) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:322) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.1.1.jar:6.1.1]
… 6 more

it the error message the key is named jhelkstack.key.pem but in the config the key is defined as elkstack.key.pem
Which one is supposed to be correct?

···

Am 30.01.2018 um 22:12 schrieb Chadwick Wendling <cadamwendling@gmail.com>:

I am running Elasticsearch 6.1.1 and Search Guard 6.1. I have created certificates and keys and edited the elasticsearch.yml file. I am getting the error below. The key is in pkcs8 format. I saw another post about that. This error in the logs happens when I try to start the elasticsearch service. Any help would be greatly appreciated.

search guard config in elasticsearch.yml (The password is the password used with the creation of the cert.)

searchguard.ssl.transport.pemcert_filepath: elkstack.cert.pem
searchguard.ssl.transport.pemkey_filepath: elkstack.key.pem
searchguard.ssl.transport.pemkey_password: ***********************************
searchguard.ssl.transport.pemtrustedcas_filepath: ca-chain.cert.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: elkstack.cert.pem
searchguard.ssl.http.pemkey_filepath: elkstack.key.pem
searchguard.ssl.http.pemkey_password: *****************************
searchguard.ssl.http.pemtrustedcas_filepath: ca-chain.cert.pem

elasticsearch.log:

Caused by: org.elasticsearch.ElasticsearchSecurityException: Error while initializing transport SSL layer from PEM: java.lang.IllegalArgumentException: File does not contain valid private key: /etc/elasticsearch/jhelkstack.key.pem
        at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:292) ~[?:?]
        at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:145) ~[?:?]
        at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:192) ~[?:?]
        at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:182) ~[?:?]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_152]
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443) ~[elasticsearch-6.1.1.jar:6.1.1]
        at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:392) ~[elasticsearch-6.1.1.jar:6.1.1]
        at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:142) ~[elasticsearch-6.1.1.jar:6.1.1]
        at org.elasticsearch.node.Node.<init>(Node.java:302) ~[elasticsearch-6.1.1.jar:6.1.1]
        at org.elasticsearch.node.Node.<init>(Node.java:245) ~[elasticsearch-6.1.1.jar:6.1.1]
        at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.1.1.jar:6.1.1]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.1.1.jar:6.1.1]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:322) ~[elasticsearch-6.1.1.jar:6.1.1]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.1.1.jar:6.1.1]
        ... 6 more
Caused by: java.lang.IllegalArgumentException: File does not contain valid private key: /etc/elasticsearch/jhelkstack.key.pem
        at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:267) ~[?:?]
        at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:90) ~[?:?]
        at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.buildSSLServerContext(DefaultSearchGuardKeyStore.java:613) ~[?:?]
        at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:287) ~[?:?]
        at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:145) ~[?:?]
        at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:192) ~[?:?]
        at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:182) ~[?:?]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_152]
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443) ~[elasticsearch-6.1.1.jar:6.1.1]
        at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:392) ~[elasticsearch-6.1.1.jar:6.1.1]
        at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:142) ~[elasticsearch-6.1.1.jar:6.1.1]
        at org.elasticsearch.node.Node.<init>(Node.java:302) ~[elasticsearch-6.1.1.jar:6.1.1]
        at org.elasticsearch.node.Node.<init>(Node.java:245) ~[elasticsearch-6.1.1.jar:6.1.1]
        at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.1.1.jar:6.1.1]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.1.1.jar:6.1.1]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:322) ~[elasticsearch-6.1.1.jar:6.1.1]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.1.1.jar:6.1.1]
        ... 6 more

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/2f9fee40-83c8-4c87-9931-1a6052f278dc%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.