Unable to change password for Admin user when running with Kubernetes

victor · May 29, 2019, 6:01am

Hi,

I am unable to change any settings what so ever regarding user passwords and the certificates that are to be used in production. When i try to edit the internal_users.yml file it complains that it’s a read-only file.

How do i solve this?

victor · May 29, 2019, 6:55am

I get the following in the logs:

`

Caused by: org.elasticsearch.ElasticsearchSecurityException: Error while initializing transport SSL layer from PEM: java.lang.IllegalArgumentException: File does not contain valid certificates: /usr/share/elasticsearch/config/es-node1.pem

`

And i can see that the files are there, just that they are mounted as root:root:

-rw-r–r–. 1 root root 1703 May 29 06:52 admin.key
-rw-r–r–. 1 root root 1106 May 29 06:52 admin.pem
-rw-rw----. 1 elasticsearch root 207 May 29 06:52 elasticsearch.keystore
-rw-r–r–. 1 root root 1985 May 29 06:52 elasticsearch.yml
-rw-r–r–. 1 root root 1707 May 29 06:52 es-node1.key
-rw-r–r–. 1 root root 1143 May 29 06:52 es-node1.pem
-rw-rw----. 1 elasticsearch root 3613 Apr 2 15:56 jvm.options
-rw-rw-r–. 1 elasticsearch root 285 Apr 15 21:30 log4j2.properties
-rw-r–r–. 1 root root 1240 May 29 06:52 root-ca.pem

How can i fix this?

ThibaudF · May 29, 2019, 9:18am

Hello !
Not sure but have you tried to change the ownership?

chown elasticsearch:root *

You can even chown elasticsearch:elasticsearch *

Thi

victor · May 29, 2019, 11:43am

I had to do it a little differently, i basically mounted the certificates with 644 permission so that other users than root can read the certificates. But now i get the following errors which lead me to believe that i did something wrong when i generated the certificates:

Caused by: org.elasticsearch.ElasticsearchSecurityException: Error while initializing transport SSL layer from PEM: java.lang.IllegalArgumentException: File does not contain valid certificates: /usr/share/elasticsearch/config/es-node1.pem
	at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.initSSLConfig(DefaultOpenDistroSecurityKeyStore.java:364) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.<init>(DefaultOpenDistroSecurityKeyStore.java:164) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.ssl.OpenDistroSecuritySSLPlugin.<init>(OpenDistroSecuritySSLPlugin.java:207) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin.<init>(OpenDistroSecurityPlugin.java:223) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
	at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:163) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.node.Node.<init>(Node.java:339) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.node.Node.<init>(Node.java:266) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.7.1.jar:6.7.1]
	... 6 more
Caused by: java.lang.IllegalArgumentException: File does not contain valid certificates: /usr/share/elasticsearch/config/es-node1.pem
	at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:265) ~[?:?]
	at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:90) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.buildSSLServerContext(DefaultOpenDistroSecurityKeyStore.java:747) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.initSSLConfig(DefaultOpenDistroSecurityKeyStore.java:351) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.<init>(DefaultOpenDistroSecurityKeyStore.java:164) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.ssl.OpenDistroSecuritySSLPlugin.<init>(OpenDistroSecuritySSLPlugin.java:207) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin.<init>(OpenDistroSecurityPlugin.java:223) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
	at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:163) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.node.Node.<init>(Node.java:339) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.node.Node.<init>(Node.java:266) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.7.1.jar:6.7.1]
	... 6 more
Caused by: java.security.cert.CertificateException: found no certificates in input stream
	at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:98) ~[?:?]
	at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:64) ~[?:?]
	at io.netty.handler.ssl.SslContext.toX509Certificates(SslContext.java:1071) ~[?:?]
	at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:263) ~[?:?]
	at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:90) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.buildSSLServerContext(DefaultOpenDistroSecurityKeyStore.java:747) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.initSSLConfig(DefaultOpenDistroSecurityKeyStore.java:351) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.<init>(DefaultOpenDistroSecurityKeyStore.java:164) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.ssl.OpenDistroSecuritySSLPlugin.<init>(OpenDistroSecuritySSLPlugin.java:207) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin.<init>(OpenDistroSecurityPlugin.java:223) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
	at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:163) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.node.Node.<init>(Node.java:339) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.node.Node.<init>(Node.java:266) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.7.1.jar:6.7.1]
	... 6 more

Anthony · March 10, 2021, 4:27pm

@victor did you fix the certificate issue?

Topic		Replies	Views
Configuration LDAP with custom certificates kubernetes Open Source Elasticsearch and Kibana	15	1181	August 10, 2021
Reset default admin password Security	1	8549	April 30, 2021
Securityadmin.sh fails to update cluster config when using kirk certificates Security	3	5971	October 17, 2019
Certificate permissions with Docker Security	1	2032	May 18, 2019
Problem with the default admin Passwort OpenSearch	14	2869	March 25, 2024

Unable to change password for Admin user when running with Kubernetes

Related Topics