[ISSUE] SSL not working with 1.16.12 ROR

I moved this from another thread as that was mainly focusing on having the ROR config in separate config file. The issue is that on ROR 1.16.12, SSL is not working as ROR is not able to resolve the keystore path. I have tested this on v5.5.1 of ES on windows 2012 and windows 2008.

In earlier version(1.16.11), I was able to atleast give the full path and SSL was getting enabled. But now, it shows the error as given below.

[2017-10-25T16:56:30,502][INFO ][t.b.r.e.SSLTransportNetty4] SSL: attempting with JKS keystore..
[2017-10-25T16:56:30,507][ERROR][t.b.r.e.SSLTransportNetty4] Failed to load SSL certs and keys from JKS Keystore!

I had to rollback to 1.16.11 due to this error. Below is the keystore_file entry that i have in elasticsearch.yml file.

keystore_file: D:\Apps\Progra~1\Elasticsearch-5.5.1\config\my.keystore.jks

I also tried placing the keystore in the readonlyrest plugin folder with below entry and that also resulted in same error.

keystore_file: “plugins/readonlyrest/my.keystore.jks”

Please let me know if you need any further details.

Thanks!

Hi @askids, thanks for reporting this, the keystore resolution has the same mechanism of the readonlyrest.yml.
The problem is that from the plugin code I have no access to the command line arguments people pass to ES, one in particular the -Epath.conf=....
So what the plugin is doing is assuming that the conf dir is a child of the ES_HOME dir, which is definitely not always true. Especially when the -E is used.

More on this: Plugin Development: access command line arguments - Elasticsearch - Discuss the Elastic Stack

Thanks for taking this up. In the meantime, when you try to work on the fix, i will try out one more option tomorrow. Since you are saying that readonlyrest.yml path is being resolved in the same way as keystore and since readonlyrest.yml is now being resolved properly, I will have the keystore in config folder(which I already do). But I will provide justt the keystore file name and no other info(full path or relative path). If that works, then temporarily that should solve my problem. Will keep you posted.

@sscarduzio, as mentioned previously I gave it another shot and changed the keystore_file: to just have file name “my_keystore.jks”. Even then it did not work. But in the ES log, I did not find any additional information. ES log simply said “Failed to load SSL certs” as before.

So I manually ran the Elasticsearch.bat and saw the below error in the console.

java.security.AccessControlException: access denied ("java.io.FilePermission" "D:\Apps\elasticsearch-5.5.1\D:\Apps\elasticsearch-5.5.1\my_keystore.jks" "read")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) 
    at java.security.AccessController.checkPermission(AccessController.java:884)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
    at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
    at java.io.FileInputStream.<init>(FileInputStream.java:127)
    at java.io.FileInputStream.<init>(FileInputStream.java:93)
    at tech.beshu.ror.commons.SSLCertParser.lambda$createContext$0(SSLCertParser.java:67)
    at java.security.AccessController.doPrivileged(Native Method)
    at tech.beshu.ror.commons.SSLCertParser.createContext(SSLCertParser.java:63)
    at tech.beshu.ror.commons.SSLCertParser.<init>(SSLCertParser.java:45)
    at tech.beshu.ror.es.SSLTransportNetty4$SSLHandler.<init>(SSLTransportNetty4.java:87)
    at tech.beshu.ror.es.SSLTransportNetty4.configureServerChannelHandler(SSLTransportNetty4.java:78)
    at org.elasticsearch.http.netty4.Netty4HttpServerTransport.doStart(Netty4HttpServerTransport.java:297)
    at org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:69)
    at org.elasticsearch.node.Node.start(Node.java:745)
    at org.elasticsearch.bootstrap.Bootstrap.start(Bootstrap.java:278)
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:351)
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:132)
    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:123)
    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:70)
    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:134)
    at org.elasticsearch.cli.Command.main(Command.java:90)
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91)
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84)

Looks like instead of taking ES_HOME\config\my_keystore.jks as the keystore path, the code is somehow taking ES_HOME\ES_HOME\my_keystore.jks. Can you please fix this?

This is fixed in 1.16.13-pre1

I tested this on both Windows 2008 and 2012. SSL is working fine now.

1 Like