I am setting up a Bitbucket datacenter cluster and am having some problems with enabling SSL on elasticsearch. I have installed version 2.3.4 according to elasticsearch's own documents, installed buckler and it authenticates perfectly, but even when SSL is enabled it does not start up.
buckler.yml:
auth.basic.http.enabled: true auth.basic.username: admin auth.basic.password: <ourpasswordhere> auth.basic.tcp.enabled: true tls.http.enabled: true tls.tcp.enabled: true tls.keystore.path: /opt/elasticsearch-2.3.4/cacerts tls.keystore.password: changeit
At this point i keep getting errors like:
[2017-01-18 17:24:25,754][WARN ][netty.channel.socket.nio.AbstractNioSelector] Failed to initialize an accepted socket. java.security.AccessControlException: access denied ("java.io.FilePermission" "/opt/elasticsearch-2.3.4/cacerts" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) at java.security.AccessController.checkPermission(AccessController.java:884) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:127) at java.io.FileInputStream.<init>(FileInputStream.java:93) at com.atlassian.elasticsearch.buckler.config.TlsConfig.createContext(TlsConfig.java:63) at com.atlassian.elasticsearch.buckler.config.TlsConfig.createHandler(TlsConfig.java:49) at com.atlassian.elasticsearch.buckler.SecureHttpServerTransport$TlsHttpChannelPipelineFactory.getPipeline(SecureHttpServerTransport.java:99) at org.jboss.netty.channel.socket.nio.NioServerBoss.registerAcceptedChannel(NioServerBoss.java:134) at org.jboss.netty.channel.socket.nio.NioServerBoss.process(NioServerBoss.java:104) at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) at org.jboss.netty.channel.socket.nio.NioServerBoss.run(NioServerBoss.java:42) at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)
Yet, the user i created for elasticsearch CAN read the file (can cat it, can append to it..), so pretty sure this is a false error.
I also never see a SSL port exposed. Will it be on 9300? Any help would be appreciated.
Damn this crap is badly documented. The CACERTS needs to be inside of the config directory, nowhere else.
Jonas,
Did you followed another guide other than this? https://confluence.atlassian.com/bitbucketserver/install-and-configure-a-remote-elasticsearch-instance-815577748.html
I have seen other guides using the Shield plugin...did you only used Buckler?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Agree on the documentation. On the cacerts - The cacerts is typically the truststore, not the keystore. I don't think the cacerts needs to be in the config dir.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.