Sgadmin fails with "File does not contain valid private key"

Hi,

I’m setting up my ELK stack with searchguard plugin. I have generated my keys using following command

keytool -genkeypair -keyalg RSA -keystore elk_keystore.p12 -storetype PKCS12 -storepass -sigalg SHA256withRSA -keysize 4096 -alias elkserver -keypass -validity 1825 -dname “O=<org_name>, L=, ST=, C=<country_code>, CN=<my_cn_name>”

I was able to start elasticsearch with the above keys and certificates, however when I’m trying to run the sgadmin command using the above keys, I’m getting following error.
java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

Caused by: ElasticsearchSecurityException[Error while initializing transport SSL layer from PEM: java.lang.IllegalArgumentException: File does not contain valid private key: …

Please see below my elasticsearch.yml

searchguard.ssl.transport.pemcert_filepath: elasticserver.cer
searchguard.ssl.transport.pemkey_filepath: elasticserver.key
searchguard.ssl.transport.pemtrustedcas_filepath: intermediate-root-integrated.cer
searchguard.ssl.transport.enforce_hostname_verification: true
searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: elasticserver.cer
searchguard.ssl.http.pemkey_filepath: elasticserver.key
searchguard.ssl.http.pemtrustedcas_filepath: intermediate-root-integrated.cer
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
  - 'CN=$$my_cn$$, O=$$my_org$$, C=$$country_code$$, L=$$country$$, ST=$$country$$'
searchguard.nodes_dn:
  - 'CN=$$my_cn$$, O=$$my_org$$, C=$$country_code$$, L=$$country$$, ST=$$country$$'

searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: ["sg_all_access"]
cluster.routing.allocation.disk.threshold_enabled: false
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
xpack.security.enabled: false

I have used same certificates as both admin and node certificates. This is the sgadmin command I have used,

./sgadmin.sh -h -p 9300 -cn elasticsearch -cd …/sgconfig/ -nhnv -cacert <path_to_intermediate-root-integrated.cer> -cert <path_to_elasticserver.cer> -key <path_to_elasticserver.key> -keypass

Kindly help to find out what is the problem here.

Thanks in advance.

Is your elasticserver.key file encrypted (with a password)?

Yes it’s. I have provided the password to sgadmin with keypass parameter

You did not specifiy a password in elasticsearch.yml . Try to set searchguard.ssl.transport.pemkey_password and searchguard.ssl.http.pemkey_password

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.