sgadmin stuck at "Contacting elasticsearch cluster 'elasticsearch' ..." on ES version 5.5.0

Hi,

I have spent almost 3 days in trying to get SearchGuard work inside our cluster. I generated the default certificates using the example.sh provided in search-guard-ssl-5.5.0. I copied 3 files to my /etc/elasticsearch/ directory and they are as follows:

  1. truststore.jks
  2. keystore.jks (renamed from original node-1-keystore.jks generated by example.sh)
  3. kirk-keystore.jks
    All these 3 files are owned by elasticsearch user on my node.

*** Please note I use elasticsearch as a service and my configuration files are picked up from /etc/elasticsearch directory. Running install_demo_configuration script also places the .jks files in the same directory. ***

My /etc/elasticsearch/elasticsearch.yml looks like this:


cluster.name: elasticsearch_dev
node.name: myNode1
path.conf: "/etc/elasticsearch"
path.logs: "/var/log/elasticsearch"
discovery.zen.ping.unicast.hosts:
- myNode2
- myNode3
discovery.zen.minimum_master_nodes: 2
network.host: 0.0.0.0
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-methods : OPTIONS, HEAD, GET, POST, PUT, DELETE
http.cors.allow-headers : X-Requested-With,X-Auth-Token,Content-Type,Content-Length
http.detailed_errors.enabled : true
######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: keystore.jks
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: keystore.jks
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=test, C=de
######## End Search Guard Demo Configuration ########

Finally, I run the sgadmin command as follows and it does not ever find my cluster.
cd /usr/share/elasticsearch/plugins/search-guard-5/sgconfig

../../search-guard-5/tools/sgadmin.sh --accept-red-cluster -ks /etc/elasticsearch/kirk-keystore.jks -ts /etc/elasticsearch/truststore.jks -icl -nhnv

Logs:


WARNING: JAVA_HOME not set, will use /bin/java
Search Guard Admin v5
Will connect to localhost:9300 ... done
### LICENSE NOTICE Search Guard ###
If you use one or more of the following features in production
make sure you have a valid Search Guard license
(See https://floragunn.com/searchguard-validate-license)
* Kibana Multitenancy
* LDAP authentication/authorization
* Active Directory authentication/authorization
* REST Management API
* JSON Web Token (JWT) authentication/authorization
* Kerberos authentication/authorization
* Document- and Fieldlevel Security (DLS/FLS)
* Auditlogging
In case of any doubt mail to <sales@floragunn.com>

<details class='elided'>
<summary title='Show trimmed content'>&#183;&#183;&#183;</summary>

###################################
Contacting elasticsearch cluster 'elasticsearch' ...
Cannot retrieve cluster state due to: null. This is not an error, will keep on trying ...
* Try running sgadmin.sh with -icl (but no -cl) and -nhnv (If thats works you need to check your clustername as well as hostnames in your SSL certificates)
* Make also sure that your keystore or cert is a client certificate (not a node certificate) and configured properly in elasticsearch.yml
* If this is not working, try running sgadmin.sh with --diagnose and see diagnose trace log file)
* Add --accept-red-cluster to allow sgadmin to operate on a red cluster.

solved here https://github.com/floragunncom/search-guard/issues/376

···

Am 22.08.2017 um 22:43 schrieb Saksham Ghimire <gsaxam@gmail.com>:

Hi,

I have spent almost 3 days in trying to get SearchGuard work inside our cluster. I generated the default certificates using the example.sh provided in search-guard-ssl-5.5.0. I copied 3 files to my /etc/elasticsearch/ directory and they are as follows:

  • truststore.jks
  • keystore.jks (renamed from original node-1-keystore.jks generated by example.sh)
  • kirk-keystore.jks
All these 3 files are owned by elasticsearch user on my node.

*** Please note I use elasticsearch as a service and my configuration files are picked up from /etc/elasticsearch directory. Running install_demo_configuration script also places the .jks files in the same directory. ***

My /etc/elasticsearch/elasticsearch.yml looks like this:

cluster.name: elasticsearch_dev
node.name: myNode1
path.conf: "/etc/elasticsearch"
path.logs: "/var/log/elasticsearch"
discovery.zen.ping.unicast.hosts:
- myNode2
- myNode3
discovery.zen.minimum_master_nodes: 2
network.host: 0.0.0.0
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-methods : OPTIONS, HEAD, GET, POST, PUT, DELETE
http.cors.allow-headers : X-Requested-With,X-Auth-Token,Content-Type,Content-Length
http.detailed_errors.enabled : true

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: keystore.jks
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: keystore.jks
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.authcz.admin_dn:
  - CN=kirk,OU=client,O=client,L=test, C=de

######## End Search Guard Demo Configuration ########

Finally, I run the sgadmin command as follows and it does not ever find my cluster.
cd /usr/share/elasticsearch/plugins/search-guard-5/sgconfig

../../search-guard-5/tools/sgadmin.sh --accept-red-cluster -ks /etc/elasticsearch/kirk-keystore.jks -ts /etc/elasticsearch/truststore.jks -icl -nhnv

Logs:

WARNING: JAVA_HOME not set, will use /bin/java
Search Guard Admin v5
Will connect to localhost:9300 ... done

### LICENSE NOTICE Search Guard ###

If you use one or more of the following features in production
make sure you have a valid Search Guard license
(See https://floragunn.com/searchguard-validate-license)

* Kibana Multitenancy
* LDAP authentication/authorization
* Active Directory authentication/authorization
* REST Management API
* JSON Web Token (JWT) authentication/authorization
* Kerberos authentication/authorization
* Document- and Fieldlevel Security (DLS/FLS)
* Auditlogging

In case of any doubt mail to <sales@floragunn.com>
###################################
Contacting elasticsearch cluster 'elasticsearch' ...
Cannot retrieve cluster state due to: null. This is not an error, will keep on trying ...
   * Try running sgadmin.sh with -icl (but no -cl) and -nhnv (If thats works you need to check your clustername as well as hostnames in your SSL certificates)
   * Make also sure that your keystore or cert is a client certificate (not a node certificate) and configured properly in elasticsearch.yml
   * If this is not working, try running sgadmin.sh with --diagnose and see diagnose trace log file)
   * Add --accept-red-cluster to allow sgadmin to operate on a red cluster.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4f6bf709-c06d-4da9-bf74-a3640a09d9c9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.