TLS Configuration error in elasticsearch

If you think it is a bug report or you have a technical issue, please answer the following questions. For general questions, you can delete these questions.

**Elasticsearch version:7.9.0

**Server OS version: Centos7

**Kibana version (if relevant): 7.9.0

**Describe the issue:
I am trying to test search-guard plugin for my ELK setup…I have installed search guard plugin with 7.9.0:45.0.0 version…After i have tried to install demo certificate with demo script…But its not generated any key files.So i have tried to use manual demo certificates…But its also not working…when i try to restart elasticsearch, it got failed and through below error.
Caused by: java.security.AccessControlException: access denied (“java.io.FilePermission” “/usr/share/elasticsearch/ssl-sg/esnode.pem” “read”)

Then i desired to generate own SSL with my working domain name using search-guard TLS online generator…I have pointed “elk.xxx.com” domain to my ELK server and generated SSL for that domain…Also updated ssl path in elasticsearch.yaml file…But i got same error…i am not sure what i did wrongly…i am trying to solve this issue in last 2 days…but no luck.

When i try to start elasticsearch, i got below error,
Caused by: java.security.AccessControlException: access denied (“java.io.FilePermission” “/usr/share/elasticsearch/ssl-sg/elk.xxx.com.crtfull.pem” “read”)

can some one help me to solve this issue ?

Provide configuration:
elasticsearch/config/elasticsearch.yml
Elasticsearch config details: (elasticsearch.yml)
xpack.security.enabled: false
searchguard.enterprise_modules_enabled: false
searchguard.ssl.transport.pemcert_filepath:/usr/share/elasticsearch/ssl-sg/elk.xxx.com.crtfull.pem
searchguard.ssl.transport.pemkey_filepath:/usr/share/elasticsearch/ssl-sg/elk.xxx.com.key.pem
searchguard.ssl.transport.pemtrustedcas_filepath:/usr/share/elasticsearch/ssl-sg/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.authcz.admin_dn:

  • CN=admin,OU=SSL,O=test,L=test,C=de

elasticsearch/plugins/search-guard-7/sgconfig/sg_config.yml
I haven’t made any changes in sg_config.yml

Provide logs:
Elasticsearch
Caused by: java.security.AccessControlException: access denied (“java.io.FilePermission” “/usr/share/elasticsearch/ssl-sg/elk.xxx.com.crtfull.pem” “read”)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:?]
at java.security.AccessController.checkPermission(AccessController.java:1036) ~[?:?]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:408) ~[?:?]
at java.lang.SecurityManager.checkRead(SecurityManager.java:747) ~[?:?]
at sun.nio.fs.UnixPath.checkRead(UnixPath.java:818) ~[?:?]
at sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:49) ~[?:?]
at sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:149) ~[?:?]
at sun.nio.fs.LinuxFileSystemProvider.readAttributes(LinuxFileSystemProvider.java:99) ~[?:?]
at java.nio.file.Files.readAttributes(Files.java:1843) ~[?:?]
at java.nio.file.Files.isDirectory(Files.java:2314) ~[?:?]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.checkPath(DefaultSearchGuardKeyStore.java:918) ~[?:?]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.resolve(DefaultSearchGuardKeyStore.java:233) ~[?:?]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initTransportSSLConfig(DefaultSearchGuardKeyStore.java:356) ~[?:?]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:253) ~[?:?]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:174) ~[?:?]
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:202) ~[?:?]
at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:235) ~[?:?]
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:691) ~[elasticsearch-7.9.0.jar:7.9.0]
… 15 more
[2020-09-06T13:59:36,989][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [elk.devopsadmin.icu] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:174) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:161) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127) ~[elasticsearch-cli-7.9.0.jar:7.9.0]
at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-7.9.0.jar:7.9.0]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-7.9.0.jar:7.9.0]
Caused by: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:700) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:642) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:473) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:165) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.node.Node.(Node.java:328) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.node.Node.(Node.java:277) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:227) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:227) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:393) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:170) ~[elasticsearch-7.9.0.jar:7.9.0]
… 6 more
Caused by: java.lang.reflect.InvocationTargetException
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:691) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:642) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:473) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:165) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.node.Node.(Node.java:328) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.node.Node.(Node.java:277) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:227) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:227) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:393) ~[elasticsearch-7.9.0.jar:7.9.0]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:170) ~[elasticsearch-7.9.0.jar:7.9.0]
… 6 more

The error tells you don’t have read permission for the esnode.pem file.

It is the same error here.

Make sure the Elasticsearch user has permission to read the TLS certificate file.

Also, make sure your TLS certificates are under elasticsearch/config directory.

which must be under the config/ directory, specified using a relative path (mandatory)

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.