Elasticsearch SSL

Jonas Andersson
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 18, 2017

I am setting up a Bitbucket datacenter cluster and am having some problems with enabling SSL on elasticsearch. I have installed version 2.3.4 according to elasticsearch's own documents, installed buckler and it authenticates perfectly, but even when SSL is enabled it does not start up.

buckler.yml:

auth.basic.http.enabled: true
auth.basic.username: admin
auth.basic.password: <ourpasswordhere>
auth.basic.tcp.enabled: true
tls.http.enabled: true
tls.tcp.enabled: true
tls.keystore.path: /opt/elasticsearch-2.3.4/cacerts
tls.keystore.password: changeit

 

At this point i keep getting errors like:

[2017-01-18 17:24:25,754][WARN ][netty.channel.socket.nio.AbstractNioSelector] Failed to initialize an accepted socket.
java.security.AccessControlException: access denied ("java.io.FilePermission" "/opt/elasticsearch-2.3.4/cacerts" "read")
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
    at java.security.AccessController.checkPermission(AccessController.java:884)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
    at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
    at java.io.FileInputStream.<init>(FileInputStream.java:127)
    at java.io.FileInputStream.<init>(FileInputStream.java:93)
    at com.atlassian.elasticsearch.buckler.config.TlsConfig.createContext(TlsConfig.java:63)
    at com.atlassian.elasticsearch.buckler.config.TlsConfig.createHandler(TlsConfig.java:49)
    at com.atlassian.elasticsearch.buckler.SecureHttpServerTransport$TlsHttpChannelPipelineFactory.getPipeline(SecureHttpServerTransport.java:99)
    at org.jboss.netty.channel.socket.nio.NioServerBoss.registerAcceptedChannel(NioServerBoss.java:134)
    at org.jboss.netty.channel.socket.nio.NioServerBoss.process(NioServerBoss.java:104)
    at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
    at org.jboss.netty.channel.socket.nio.NioServerBoss.run(NioServerBoss.java:42)
    at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
    at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)

Yet, the user i created for elasticsearch CAN read the file (can cat it, can append to it..), so pretty sure this is a false error.

I also never see a SSL port exposed. Will it be on 9300? Any help would be appreciated.

 

2 answers

1 accepted

1 vote
Answer accepted
Jonas Andersson
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 18, 2017

Damn this crap is badly documented. The CACERTS needs to be inside of the config directory, nowhere else.

Gustavo Segura September 20, 2017

Jonas,

Did you followed another guide other than this? https://confluence.atlassian.com/bitbucketserver/install-and-configure-a-remote-elasticsearch-instance-815577748.html

I have seen other guides using the Shield plugin...did you only used Buckler?

0 votes
Carl Golaszewski April 5, 2017

Agree on the documentation. On the cacerts - The cacerts is typically the truststore, not the keystore. I don't think the cacerts needs to be in the config dir. 

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events