It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Elasticsearch SSL

Jonas Andersson Jan 18, 2017

I am setting up a Bitbucket datacenter cluster and am having some problems with enabling SSL on elasticsearch. I have installed version 2.3.4 according to elasticsearch's own documents, installed buckler and it authenticates perfectly, but even when SSL is enabled it does not start up.


auth.basic.http.enabled: true
auth.basic.username: admin
auth.basic.password: <ourpasswordhere>
auth.basic.tcp.enabled: true
tls.http.enabled: true
tls.tcp.enabled: true
tls.keystore.path: /opt/elasticsearch-2.3.4/cacerts
tls.keystore.password: changeit


At this point i keep getting errors like:

[2017-01-18 17:24:25,754][WARN ][] Failed to initialize an accepted socket. access denied ("" "/opt/elasticsearch-2.3.4/cacerts" "read")
    at java.lang.SecurityManager.checkPermission(
    at java.lang.SecurityManager.checkRead(
    at com.atlassian.elasticsearch.buckler.config.TlsConfig.createContext(
    at com.atlassian.elasticsearch.buckler.config.TlsConfig.createHandler(
    at com.atlassian.elasticsearch.buckler.SecureHttpServerTransport$TlsHttpChannelPipelineFactory.getPipeline(
    at org.jboss.netty.util.internal.DeadLockProofWorker$
    at java.util.concurrent.ThreadPoolExecutor.runWorker(
    at java.util.concurrent.ThreadPoolExecutor$

Yet, the user i created for elasticsearch CAN read the file (can cat it, can append to it..), so pretty sure this is a false error.

I also never see a SSL port exposed. Will it be on 9300? Any help would be appreciated.


2 answers

1 accepted

1 vote
Answer accepted
Jonas Andersson Jan 18, 2017

Damn this crap is badly documented. The CACERTS needs to be inside of the config directory, nowhere else.

Gustavo Segura Sep 20, 2017


Did you followed another guide other than this?

I have seen other guides using the Shield plugin...did you only used Buckler?

0 votes
Carl Golaszewski Apr 05, 2017 • edited

Agree on the documentation. On the cacerts - The cacerts is typically the truststore, not the keystore. I don't think the cacerts needs to be in the config dir. 

Suggest an answer

Log in or Sign up to answer
This widget could not be displayed.
This widget could not be displayed.
Community showcase
Published in Bitbucket Pipelines

Building a Bitbucket Pipe as a casual coder :  #!/bin/bash source "$(dirname "$0")/" enable_debug extra_args="" if [[ "${DEBUG}" == "true" ]]; then extra_args="--verbose" fi # mandatory variables R...

1,976 views 1 19
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you