Unable to change password for Admin user when running with Kubernetes

Hi,

I am unable to change any settings what so ever regarding user passwords and the certificates that are to be used in production. When i try to edit the internal_users.yml file it complains that it’s a read-only file.

How do i solve this?

I get the following in the logs:

`

Caused by: org.elasticsearch.ElasticsearchSecurityException: Error while initializing transport SSL layer from PEM: java.lang.IllegalArgumentException: File does not contain valid certificates: /usr/share/elasticsearch/config/es-node1.pem

`

And i can see that the files are there, just that they are mounted as root:root:

-rw-r–r–. 1 root root 1703 May 29 06:52 admin.key
-rw-r–r–. 1 root root 1106 May 29 06:52 admin.pem
-rw-rw----. 1 elasticsearch root 207 May 29 06:52 elasticsearch.keystore
-rw-r–r–. 1 root root 1985 May 29 06:52 elasticsearch.yml
-rw-r–r–. 1 root root 1707 May 29 06:52 es-node1.key
-rw-r–r–. 1 root root 1143 May 29 06:52 es-node1.pem
-rw-rw----. 1 elasticsearch root 3613 Apr 2 15:56 jvm.options
-rw-rw-r–. 1 elasticsearch root 285 Apr 15 21:30 log4j2.properties
-rw-r–r–. 1 root root 1240 May 29 06:52 root-ca.pem

How can i fix this?

Hello !
Not sure but have you tried to change the ownership?

chown elasticsearch:root *

You can even chown elasticsearch:elasticsearch *

Thi

I had to do it a little differently, i basically mounted the certificates with 644 permission so that other users than root can read the certificates. But now i get the following errors which lead me to believe that i did something wrong when i generated the certificates:

Caused by: org.elasticsearch.ElasticsearchSecurityException: Error while initializing transport SSL layer from PEM: java.lang.IllegalArgumentException: File does not contain valid certificates: /usr/share/elasticsearch/config/es-node1.pem
	at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.initSSLConfig(DefaultOpenDistroSecurityKeyStore.java:364) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.<init>(DefaultOpenDistroSecurityKeyStore.java:164) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.ssl.OpenDistroSecuritySSLPlugin.<init>(OpenDistroSecuritySSLPlugin.java:207) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin.<init>(OpenDistroSecurityPlugin.java:223) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
	at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:163) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.node.Node.<init>(Node.java:339) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.node.Node.<init>(Node.java:266) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.7.1.jar:6.7.1]
	... 6 more
Caused by: java.lang.IllegalArgumentException: File does not contain valid certificates: /usr/share/elasticsearch/config/es-node1.pem
	at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:265) ~[?:?]
	at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:90) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.buildSSLServerContext(DefaultOpenDistroSecurityKeyStore.java:747) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.initSSLConfig(DefaultOpenDistroSecurityKeyStore.java:351) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.<init>(DefaultOpenDistroSecurityKeyStore.java:164) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.ssl.OpenDistroSecuritySSLPlugin.<init>(OpenDistroSecuritySSLPlugin.java:207) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin.<init>(OpenDistroSecurityPlugin.java:223) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
	at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:163) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.node.Node.<init>(Node.java:339) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.node.Node.<init>(Node.java:266) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.7.1.jar:6.7.1]
	... 6 more
Caused by: java.security.cert.CertificateException: found no certificates in input stream
	at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:98) ~[?:?]
	at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:64) ~[?:?]
	at io.netty.handler.ssl.SslContext.toX509Certificates(SslContext.java:1071) ~[?:?]
	at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:263) ~[?:?]
	at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:90) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.buildSSLServerContext(DefaultOpenDistroSecurityKeyStore.java:747) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.initSSLConfig(DefaultOpenDistroSecurityKeyStore.java:351) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.<init>(DefaultOpenDistroSecurityKeyStore.java:164) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.ssl.OpenDistroSecuritySSLPlugin.<init>(OpenDistroSecuritySSLPlugin.java:207) ~[?:?]
	at com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin.<init>(OpenDistroSecurityPlugin.java:223) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
	at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:163) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.node.Node.<init>(Node.java:339) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.node.Node.<init>(Node.java:266) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.7.1.jar:6.7.1]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.7.1.jar:6.7.1]
	... 6 more

@victor did you fix the certificate issue?