sgadmin initial "initializing" not working

Benedikt_Haug · June 28, 2018, 3:12pm

Dear Searchguard Developers,

ES version: 6.3.0
Searchguard version: 6.3.0-22.3 (com.floragunn:search-guard-6:6.3.0-22.3)
JVM: 1.8.0_121-b13
Nr. of nodes: 2

Deployed via puppet: https://forge.puppet.com/elastic/elasticsearch

Description of the bug:

sgadmin.sh does not work as expected. Instead of initially “Initializing” the cluster it crashes:


usr/share/elasticsearch/plugins/search-guard-6# /usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh --diagnose -cd /etc/elasticsearch/mes_any_log1/ -cacert /etc/ssl/team/certs/searchguard/admin-elasticsearchanylog-portal-wfe-bs.qa.server.lan.pem -cert /etc/ssl/team/certs/searchguard/admin-elasticsearchanylog-portal-wfe-bs.qa.server.lan.pem  -h mes-any-log-qa002.qa.server.lan -cn mes_any_log
WARNING: JAVA_HOME not set, will use /usr/bin/java
Search Guard Admin v6
Will connect to mes-any-log-qa002.qa.server.lan:9300 ... done
ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
Trace:
java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:701)
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:114)
    at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:107)
    at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:132)
    at org.elasticsearch.client.transport.TransportClient.<init>(TransportClient.java:269)
    at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.<init>(SearchGuardAdmin.java:887)
    at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:442)
    at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:124)
Caused by: java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:692)
    ... 7 more
Caused by: ElasticsearchException[Empty file path for searchguard.ssl.transport.pemkey_filepath]
    at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.checkPath(DefaultSearchGuardKeyStore.java:701)
    at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.resolve(DefaultSearchGuardKeyStore.java:193)
    at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:282)
    at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:145)
    at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:193)
    at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:189)
    ... 12 more

This certificate is present and elasticsearch starts up as expected.

/etc/elasticsearch/mes_any_log1/elasticsearchanylog-portal-wfe-bs.qa.server.lan.pem

The file is declared relatively in the config but declaring it absolutely (referencing the whole path does not change this behaviour)

/etc/elasticsearch/mes_any_log1/elasticsearch.yml:searchguard.ssl.transport.pemkey_filepath: elasticsearchanylog-portal-wfe-bs.qa.server.lan.pem

It does not write any diagnose files and the documention lists no more things to try.

Benedikt_Haug · June 28, 2018, 3:22pm

Also tried placing the certificates in different paths and changing the directory the script runs in. The result does not change.

jkressin · July 1, 2018, 11:12am

Your sgadmin call is just lacking the private key for your certificate:

Empty file path for searchguard.ssl.transport.pemkey_filepath

``

You need to add:

-key Path to the key of admin certificate
-keypass Password of the key of admin certificate (optional)

``

···

On Thursday, June 28, 2018 at 5:22:01 PM UTC+2, Benedikt Haug wrote:

Also tried placing the certificates in different paths and changing the directory the script runs in. The result does not change.

Topic		Replies	Views
ElasticsearchSecurityException on running sgadmin.sh. Search Guard	0	453	September 25, 2017
Unable to execute sgadmin.sh Search Guard	6	1826	May 9, 2019
sgadmin error Search Guard	4	829	July 24, 2018
Search Guard not initialized (SG11) for indices:admin/exists Search Guard	2	860	September 28, 2017
Sgadmin.sh not initialising Elasticsearch Search Guard	6	1914	August 31, 2020

sgadmin initial "initializing" not working

Related topics