TLS certificate error in searchgurad. File does not contain valid private key Error

ES version : 6.3.2
Searchgurad version :: com.floragunn:search-guard-6:6.3.2-22.3

I have configured tls node certificates which i have generated form TLS Certificate Generator - Search Guard . But i am getting following error while starting es.

···

If you did not specify a key password, perhaps you need to if the key is in fact password-protected. Maybe you just confused keys and certificates.

[2018-07-30T15:17:34,925][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [******] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:140) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:127) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.3.2.jar:6.3.2]

at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:86) ~[elasticsearch-6.3.2.jar:6.3.2]

Caused by: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:701) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:643) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:557) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:162) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.node.Node.(Node.java:311) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.node.Node.(Node.java:252) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.3.2.jar:6.3.2]

… 6 more

Caused by: java.lang.reflect.InvocationTargetException

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:488) ~[?:?]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:692) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:643) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:557) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:162) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.node.Node.(Node.java:311) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.node.Node.(Node.java:252) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.3.2.jar:6.3.2]

… 6 more

Caused by: org.elasticsearch.ElasticsearchSecurityException: Error while initializing transport SSL layer from PEM: java.lang.IllegalArgumentException: File does not contain valid private key: /usr/share/elasticsearch/config/sg/hostname.internal.bidfood.nl.key.pem

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:292) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:145) ~[?:?]

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:193) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:189) ~[?:?]

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:488) ~[?:?]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:692) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:643) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:557) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:162) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.node.Node.(Node.java:311) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.node.Node.(Node.java:252) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.3.2.jar:6.3.2]

… 6 more

Caused by: java.lang.IllegalArgumentException: File does not contain valid private key: /usr/share/elasticsearch/config/sg/hostname.internal.bidfood.nl.key.pem

at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:267) ~[?:?]

at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:90) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.buildSSLServerContext(DefaultSearchGuardKeyStore.java:613) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:287) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:145) ~[?:?]

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:193) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:189) ~[?:?]

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:488) ~[?:?]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:692) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:643) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:557) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:162) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.node.Node.(Node.java:311) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.node.Node.(Node.java:252) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.3.2.jar:6.3.2]

… 6 more

Caused by: java.io.IOException: ObjectIdentifier() – data isn’t an object ID (tag = 48)

at sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:257) ~[?:?]

at sun.security.util.DerInputStream.getOID(DerInputStream.java:320) ~[?:?]

at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:268) ~[?:?]

at java.security.AlgorithmParameters.init(AlgorithmParameters.java:312) ~[?:?]

at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) ~[?:?]

at sun.security.x509.AlgorithmId.(AlgorithmId.java:114) ~[?:?]

at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) ~[?:?]

at javax.crypto.EncryptedPrivateKeyInfo.(EncryptedPrivateKeyInfo.java:98) ~[?:?]

at io.netty.handler.ssl.SslContext.generateKeySpec(SslContext.java:978) ~[?:?]

at io.netty.handler.ssl.SslContext.getPrivateKeyFromByteBuffer(SslContext.java:1034) ~[?:?]

at io.netty.handler.ssl.SslContext.toPrivateKey(SslContext.java:1014) ~[?:?]

at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:265) ~[?:?]

at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:90) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.buildSSLServerContext(DefaultSearchGuardKeyStore.java:613) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:287) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:145) ~[?:?]

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:193) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:189) ~[?:?]

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:488) ~[?:?]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:692) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:643) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:557) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:162) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.node.Node.(Node.java:311) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.node.Node.(Node.java:252) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.3.2.jar:6.3.2]

… 6 more


Any one please help.

I have one more information. I just tried another hosts certificate which i have generated around 3-4 months back in the same way and it worked perfectly .

Please post your elasticsearch.yml. Without seeing the configuration we are not able to help.

···

On Monday, July 30, 2018 at 3:30:39 PM UTC+2, Sreejith Soman wrote:

ES version : 6.3.2
Searchgurad version :: com.floragunn:search-guard-6:6.3.2-22.3

I have configured tls node certificates which i have generated form https://search-guard.com/tls-certificate-generator/ . But i am getting following error while starting es.


If you did not specify a key password, perhaps you need to if the key is in fact password-protected. Maybe you just confused keys and certificates.

[2018-07-30T15:17:34,925][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [******] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:140) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:127) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.3.2.jar:6.3.2]

at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:86) ~[elasticsearch-6.3.2.jar:6.3.2]

Caused by: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:701) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:643) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:557) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:162) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.node.Node.(Node.java:311) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.node.Node.(Node.java:252) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.3.2.jar:6.3.2]

… 6 more

Caused by: java.lang.reflect.InvocationTargetException

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:488) ~[?:?]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:692) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:643) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:557) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:162) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.node.Node.(Node.java:311) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.node.Node.(Node.java:252) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.3.2.jar:6.3.2]

… 6 more

Caused by: org.elasticsearch.ElasticsearchSecurityException: Error while initializing transport SSL layer from PEM: java.lang.IllegalArgumentException: File does not contain valid private key: /usr/share/elasticsearch/config/sg/hostname.internal.bidfood.nl.key.pem

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:292) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:145) ~[?:?]

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:193) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:189) ~[?:?]

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:488) ~[?:?]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:692) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:643) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:557) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:162) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.node.Node.(Node.java:311) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.node.Node.(Node.java:252) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.3.2.jar:6.3.2]

… 6 more

Caused by: java.lang.IllegalArgumentException: File does not contain valid private key: /usr/share/elasticsearch/config/sg/hostname.internal.bidfood.nl.key.pem

at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:267) ~[?:?]

at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:90) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.buildSSLServerContext(DefaultSearchGuardKeyStore.java:613) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:287) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:145) ~[?:?]

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:193) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:189) ~[?:?]

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:488) ~[?:?]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:692) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:643) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:557) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:162) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.node.Node.(Node.java:311) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.node.Node.(Node.java:252) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.3.2.jar:6.3.2]

… 6 more

Caused by: java.io.IOException: ObjectIdentifier() – data isn’t an object ID (tag = 48)

at sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:257) ~[?:?]

at sun.security.util.DerInputStream.getOID(DerInputStream.java:320) ~[?:?]

at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:268) ~[?:?]

at java.security.AlgorithmParameters.init(AlgorithmParameters.java:312) ~[?:?]

at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) ~[?:?]

at sun.security.x509.AlgorithmId.(AlgorithmId.java:114) ~[?:?]

at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) ~[?:?]

at javax.crypto.EncryptedPrivateKeyInfo.(EncryptedPrivateKeyInfo.java:98) ~[?:?]

at io.netty.handler.ssl.SslContext.generateKeySpec(SslContext.java:978) ~[?:?]

at io.netty.handler.ssl.SslContext.getPrivateKeyFromByteBuffer(SslContext.java:1034) ~[?:?]

at io.netty.handler.ssl.SslContext.toPrivateKey(SslContext.java:1014) ~[?:?]

at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:265) ~[?:?]

at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:90) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.buildSSLServerContext(DefaultSearchGuardKeyStore.java:613) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:287) ~[?:?]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:145) ~[?:?]

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:193) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:189) ~[?:?]

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:488) ~[?:?]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:692) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:643) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:557) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:162) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.node.Node.(Node.java:311) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.node.Node.(Node.java:252) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.3.2.jar:6.3.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.3.2.jar:6.3.2]

… 6 more


Any one please help.

I have one more information. I just tried another hosts certificate which i have generated around 3-4 months back in the same way and it worked perfectly .

Please find the elasticsearch.yml. Here i have replaced my hostname with “hostaname” and ip address with xx.xx.xx.xx

···

cluster.name: “commerce_reporting”

node.name: “hostname”

network.host: 0.0.0.0

network.publish_host: “xx.xx.xx.xx”

discovery.zen.ping.unicast.hosts: [“xx.xx.xx.xx”]

discovery.zen.minimum_master_nodes: 1

searchguard.enterprise_modules_enabled: false

searchguard.ssl.http.enabled: false

searchguard.ssl.transport.pemcert_filepath: ‘sg/hostname.internal.bidfood.nl.crtfull.pem’

searchguard.ssl.transport.pemkey_filepath: ‘sg/hostname.internal.bidfood.nl.key.pem’

searchguard.ssl.transport.pemkey_password: ‘bdea6b13776c0282bc0d’

searchguard.ssl.transport.pemtrustedcas_filepath: sg/chain-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.authcz.admin_dn:

  • CN=sgadmin

path.logs: /var/log/elasticsearch

bootstrap.memory_lock: true


Just another information. With the same settings i have used another set of certificates which i have generated three month back and it worked perfectly

We have found the issue, please also see the related GitHub Ticket:

https://github.com/floragunncom/search-guard/issues/524

The hint “it worked 3 months back” was the right one. We have updated OpenSSL to 1.1.0. This version uses a different default format for the PKCS#8 keys which is not compatible with some Java versions. At the moment there’s no fix available.

https://bugs.openjdk.java.net/browse/JDK-8076999

We have updated the certificate generator to use the old format again. The easiest fix is to regenerate the certificates. As an alternative, you could also use OpenSSL for converting the keys, but I guess simply generating them again is easier.

Sorry for the inconvenience!

···

On Tuesday, July 31, 2018 at 8:22:08 AM UTC+2, Sreejith Soman wrote:

Just another information. With the same settings i have used another set of certificates which i have generated three month back and it worked perfectly

Thanks !! I will regenerate the certificates.