searchguard.ssl.transport.keystore_filepath must be set if transport ssl is reqested Error

Hello,

I keep getting this error (tried different settings) … just wanted to try a plain vanilla basic authentication w/o ssl

Step 1 - Installed the searchguard plug-in using the following command --> bin/elasticsearch-plugin install -b com.floragunn:search-guard-5:5.2.2-11

Step 2 - Tried to start the cluster (version 5.2.2 - one node cluster), but got this error “searchguard.ssl.transport.keystore_filepath must be set if transport ssl is reqested”
Based on the support matrix that I found in the seach-guar wiki, ssl support comes bundled for searchguard 5.2.2-11, so I’ve decided to explicitly disable ssl.
Grabbed these options from the searchguard-ssl-config-template.yml

file and added them to elasticsearch-5.2.2/plugins/search-guard-5/sgconfig/elasticsearch.yml

Step 3 - added the following options to elasticsearch.yml

searchguard.ssl.transport.enabled: false
searchguard.ssl.http.enabled: false
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.transport.enable_openssl_if_available:false

but still getting the same error… I guess I’m missing something here - definitely need some guidance :slight_smile:

Thanks in advance,
Leo

Hello,

according to the readme (https://github.com/floragunncom/search-guard/blob/master/README.md): “Transport SSL is mandatory and you have to generate certificates for the nodes”

searchguard.ssl.transport.* settings are for the transport API (mainly used for inter-cluster communication, but also for sgadmin)
searchguard.ssl.http.* settings are for the REST API (used for applications, e.g. logstash,kibana,…) for which SSL/TLS can be disabled.

see also https://github.com/floragunncom/search-guard-ssl-docs/blob/master/certificates.md

for non production environments you could either use:

the elasticsearch.yml(.example) file in the sgconfig directory is just an example for the “real” elasticsearch config. (usually in /etc/elasticsearch/elasticsearch.yml)

regards,
0x2a

···

On Sunday, April 9, 2017 at 4:53:28 PM UTC+2, Leo Selochnik wrote:

Hello,

I keep getting this error (tried different settings) … just wanted to try a plain vanilla basic authentication w/o ssl

Step 1 - Installed the searchguard plug-in using the following command --> bin/elasticsearch-plugin install -b com.floragunn:search-guard-5:5.2.2-11

Step 2 - Tried to start the cluster (version 5.2.2 - one node cluster), but got this error “searchguard.ssl.transport.keystore_filepath must be set if transport ssl is reqested”
Based on the support matrix that I found in the seach-guar wiki, ssl support comes bundled for searchguard 5.2.2-11, so I’ve decided to explicitly disable ssl.
Grabbed these options from the searchguard-ssl-config-template.yml

file and added them to elasticsearch-5.2.2/plugins/search-guard-5/sgconfig/elasticsearch.yml

Step 3 - added the following options to elasticsearch.yml

searchguard.ssl.transport.enabled: false
searchguard.ssl.http.enabled: false
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.transport.enable_openssl_if_available:false

but still getting the same error… I guess I’m missing something here - definitely need some guidance :slight_smile:

Thanks in advance,
Leo

0x2a is correct, you cannot disable TLS on the transport layer if you want to have authentication/authorisation.

We are in the course of updating the complete docs to make this more clear. In the meantime, you can use the tools mentioned by 0x2a to generate the certs.

As a side note: The next release of Search Guard will include a script to generate and install demo certificates on a vanilla ES installation. Release is planned for next week. Stay tuned!

···

On Sunday, April 9, 2017 at 4:53:28 PM UTC+2, Leo Selochnik wrote:

Hello,

I keep getting this error (tried different settings) … just wanted to try a plain vanilla basic authentication w/o ssl

Step 1 - Installed the searchguard plug-in using the following command --> bin/elasticsearch-plugin install -b com.floragunn:search-guard-5:5.2.2-11

Step 2 - Tried to start the cluster (version 5.2.2 - one node cluster), but got this error “searchguard.ssl.transport.keystore_filepath must be set if transport ssl is reqested”
Based on the support matrix that I found in the seach-guar wiki, ssl support comes bundled for searchguard 5.2.2-11, so I’ve decided to explicitly disable ssl.
Grabbed these options from the searchguard-ssl-config-template.yml

file and added them to elasticsearch-5.2.2/plugins/search-guard-5/sgconfig/elasticsearch.yml

Step 3 - added the following options to elasticsearch.yml

searchguard.ssl.transport.enabled: false
searchguard.ssl.http.enabled: false
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.transport.enable_openssl_if_available:false

but still getting the same error… I guess I’m missing something here - definitely need some guidance :slight_smile:

Thanks in advance,
Leo