it has been indicated that:
“Make sure to remove the entry:
opendistro_security.allow_unsafe_democertificates: true”
but this gives error:
Caused by: java.lang.RuntimeException: Demo certificates found [bdc141ab2272c779d0f242b79063152c49e1b06a2af05e0fd90d505f2b44d5f5, 3e839e2b059036a99ee4f742814995f2fb0ced7e9d68a47851f43a3c630b5324]
I have my self-signed certificates and they work.
I have eliminated the test certificates
But I need to have this line:
I’m using the rpm version of open distro version 6.6.2-1. I first tried to move the certs in to a temp folder under /etc/elasticsearch with no success. However, deleting the demo certs from the /etc/elasticsearch folder seems to have solved the issue. Please note that the above actually works by setting :
i also using rpm version. and i have deleted the *.rpm and the elasticsearch.keystore and .elasticsearch.keystore.initial_md5sum from /etc/elasticsearch and also set opendistro_security.allow_unsafe_democertificates to false. but the elasticsearch failed to start with log:
systemctl -l status elasticsearch
● elasticsearch.service - Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 四 2019-05-02 15:18:39 CST; 3s ago
Docs: http://www.elastic.co
Process: 22351 ExecStart=/usr/share/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid --quiet (code=exited, status=1/FAILURE)
Main PID: 22351 (code=exited, status=1/FAILURE)
5月 02 15:18:37 es.mylogs.com systemd[1]: Started Elasticsearch.
5月 02 15:18:39 es.mylogs.com elasticsearch[22351]: Exception in thread "main" org.elasticsearch.bootstrap.BootstrapException: org.elasticsearch.cli.UserException: unable to create temporary keystore at [/etc/elasticsearch/elasticsearch.keystore.tmp], please check filesystem permissions
5月 02 15:18:39 es.mylogs.com elasticsearch[22351]: Likely root cause: java.nio.file.AccessDeniedException: /etc/elasticsearch/elasticsearch.keystore.tmp
5月 02 15:18:39 es.mylogs.com elasticsearch[22351]: at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)
5月 02 15:18:39 es.mylogs.com elasticsearch[22351]: at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
5月 02 15:18:39 es.mylogs.com systemd[1]: elasticsearch.service: main process exited, code=exited, status=1/FAILURE
5月 02 15:18:39 es.mylogs.com systemd[1]: Unit elasticsearch.service entered failed state.
5月 02 15:18:39 es.mylogs.com systemd[1]: elasticsearch.service failed.
I am using RPM installation on CentOS 7, i a way to bring up it(and i don’t know if this procedures works for bringing up a cluster):
in the first round start, get the following settings to initialized the security index, and i can delete the demo certificates and upload our owns and also modify accordingly the configs under directory /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ before first round start:
I keep the elasticsearch.keystore and i found that rw(0x6) permissions on pem files being asked for elasticsearch group and if you put your pems under a subdirectory of /etc/elasticsearch, also rwx(0x7) permissions on the subdirectory being asked for elasticsearch group from the logs.