Hi,
I followed the documentation in order to set up search guard in a testing single-node ES cluster.
I initially generated both truststore.jks and keystore.jks files, using gen_root_ca.sh and gen_client_node_cert.sh respectively, this way:
*> ./gen_root_ca.sh truestore.jks myCApass mypass
./gen_client_node_cert.sh node1* myCApass mypass
Then I copied truststore.jks and node1-keystore.jks to the ES config directory and edited elasticsearch.yml as shown below:
searchguard.ssl.transport.keystore_filepath: node1-keystore.jks
searchguard.ssl.transport.keystore_password: mypass
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: mypass
searchguard.ssl.transport.enforce_hostname_verification: true
searchguard.ssl.transport.resolve_hostname: true
After this, I could restart my node, checking the cluster state is YELLOW and Searchguard is properly recognized:
[2017-02-02T12:10:22,328][INFO ][o.e.h.HttpServer ] [dev-node1] publish_address {:49200}, bound_addresses {:49200}
[2017-02-02T12:10:22,329][INFO ][o.e.n.Node ] [dev-node1] started
[2017-02-02T12:10:22,485][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [dev-node1] searchguard index does not exist yet, so no need to load config on node startup. Use sgadmin to initialize cluster
[2017-02-02T12:10:22,485][INFO ][o.e.g.GatewayService ] [dev-node1] recovered [1] indices into cluster_state
[2017-02-02T12:10:22,671][INFO ][o.e.c.r.a.AllocationService] [dev-node1] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.kibana][0]] …]).
But if I try to send a request I received this message:
curl -s -XGET http://node1:49200/
Search Guard not initialized (SG11). See https://github.com/floragunncom/search-guard-docs/blob/master/sgadmin.md
So I tried to initialize Search Guard with the sgadmin.sh script using this parameters:
./sgadmin.sh -ts ~/NODE/ES_config/truststore.jks -tspass mypass -ks ~/NODE/ES_config/node1-keystore.jks -kspass mypass -cd ~/NODE/src/elastic/plugins/search-guard-5/sgconfig/ -cn devcluster -h node1 -p 49300
And this is the warning displayed:
Cannot retrieve cluster state due to: None of the configured nodes are available: [{#transport#-1}{fn7Ips5PQ4-WBsM17H3DNg}{node1}{:49300}]. This is not an error, will keep on trying …
- Try running sgadmin.sh with -icl and -nhnv (If thats works you need to check your clustername as well as hostnames in your SSL certificates)
- If this is not working, try running sgadmin.sh with --diagnose and see diagnose trace log file)
If I use the diagnose flag I can see this exception in the file returned, which doesn’t shed light on this:
ClusterHealthRequest:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{6cGCk1cERqyEk9BFBJ0KJw}{node1}{:49300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:328)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:226)
at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:59)
at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:345)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:403)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:392)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:704)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:726)
at com.floragunn.searchguard.tools.SearchGuardAdmin.generateDiagnoseTrace(SearchGuardAdmin.java:676)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:369)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:105)
Could you help me with this?
Many thanks!
Juan.