Demo Certificates Found Error while starting ElasticSearch

Hello All ,

I am trying to install my self signed certificates in Open distro for Elastic search and I see the below error when i am trying to start my elasticsearch . Please help me and i am stuck with this issue for past 2 day.Error shown below.

uncaught exception in thread [main]
java.lang.IllegalStateException: failed to load plugin class [com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin]
Likely root cause: java.lang.RuntimeException: Demo certificates found [d14aefe70a592d7a29e14f3ff89c3d0070c99e87d21776aa07d333ee877e758f, 54a70016e0837a2b0c5658d1032d7ca32e432c62c55f01a2bf5adcb69a0a7ba9, bdc141ab2272c779d0f242b79063152c49e1b06a2af05e0fd90d505f2b44d5f5, 3e839e2b059036a99ee4f742814995f2fb0ced7e9d68a47851f43a3c630b5324, 9b13661c073d864c28ad7b13eda67dcb6cbc2f04d116adc7c817c20b4c7ed361]
        at com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin.<init>(OpenDistroSecurityPlugin.java:359)
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605)
        at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556)
        at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471)
        at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:163)
        at org.elasticsearch.node.Node.<init>(Node.java:313)
        at org.elasticsearch.node.Node.<init>(Node.java:257)
        at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:221)
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:221)
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:349)
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:170)
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:161)
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:125)
        at org.elasticsearch.cli.Command.main(Command.java:90)
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126)
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92)
For complete error details, refer to the log at G:\ESearch_OD_Log\S1220001230A.log

My elasticsearch.yml

#action.destructive_requires_name: true
opendistro_security.ssl.transport.pemcert_filepath: node.pem
opendistro_security.ssl.transport.pemkey_filepath: node-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: node.pem
opendistro_security.ssl.http.pemkey_filepath: node-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_unsafe_democertificates: false
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
  - CN=admin,O=LONUS,L=NewYork, C=US
opendistro_security.nodes_dn:
  - CN=elasticsearch,O=LON,L=London,C=DE
  - CN=kibana,O=LON,L=London,C=DE
  - CN=<My hostname>
  - /CN=.*regex/
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3

Things i tried to fix the same are

  1. Removed the line "opendistro_security.allow_unsafe_democertificates: true " or setting the line to false “opendistro_security.allow_unsafe_democertificates: false”
  2. Moving the demo certificates to a seperate folder.

None of the solutions worked . Kindly let me know if i am doing anything wrong and i followed the link “SSL authentication certificates” for generating the certificates.

Hello,

I used this script to generate the certificates:

#!/bin/bash

echo “**********”

echo “* Root CA”

openssl genrsa -out root-ca-key.pem 2048"

openssl req -days 3650 -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -subj “/C=DE/L=Berlin/O=Company/CN=root-ca”’

echo “**********”

echo “* Admin cert”

echo “create: admin-key-temp.pem”

openssl genrsa -out admin-key-temp.pem 2048

echo “create: admin-key.pem”

openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem

echo “create: admin.csr”

openssl req -days 3650 -new -key admin-key.pem -out admin.csr -subj “/C=US/L=NewYork/O=CompanyUS/CN=admin”

echo “create: admin.pem”

openssl x509 -req -days 3650 -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem

echo “**********”

echo “* Node cert”

echo “create: node-key-temp.pem”

openssl genrsa -out node-key-temp.pem 2048

echo “create: node-key.pem”

openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-key.pem

echo “create: node.csr”

openssl req -days 3650 -new -key node-key.pem -out node.csr -subj “/C=DE/L=Berlin/O=Company/CN=*.elasticsearch”

echo “create: node.pem”

openssl x509 -req -days 3650 -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem

echo “**********”

echo “* Kibana cert”

echo “create: kibana-key-temp.pem”

openssl genrsa -out kibana-key-temp.pem 2048

echo “create: kibana-key.pem”

openssl pkcs8 -inform PEM -outform PEM -in kibana-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out kibana-key.pem

echo “create: kibana.csr”

openssl req -days 3650 -new -key kibana-key.pem -out kibana.csr -subj “/C=DE/L=Berlin/O=Company/CN=kibana”

echo “create: kibana.pem”

openssl x509 -req -days 3650 -in kibana.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out kibana.pem

echo “*** Ende ***”

And here is my Elasticsearch.yml:

cluster.name: “k8s-logs”

network.host: 0.0.0.0

path.repo: ["/var/nfs"]

opendistro_security.ssl.transport.pemcert_filepath: node.pem

opendistro_security.ssl.transport.pemkey_filepath: node-key.pem

opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem

opendistro_security.ssl.transport.enforce_hostname_verification: false

opendistro_security.ssl.http.enabled: true

opendistro_security.ssl.http.pemcert_filepath: node.pem

opendistro_security.ssl.http.pemkey_filepath: node-key.pem

opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem

#opendistro_security.allow_unsafe_democertificates: true

opendistro_security.allow_default_init_securityindex: true

opendistro_security.authcz.admin_dn:

  • ‘CN=admin,O=CompanyUS,L=NewYork,C=US’

opendistro_security.nodes_dn:

  • ‘CN=*.elasticsearch,O=Company,L=Berlin,C=DE’

  • ‘CN=kibana,O=Company,L=Berlin,C=DE’

  • ‘CN=*,O=Company,L=Berlin,C=DE’

  • ‘CN=k8s-logs*’

  • ‘/CN=.*regex/’

opendistro_security.audit.type: internal_elasticsearch

opendistro_security.enable_snapshot_restore_privilege: true

opendistro_security.check_snapshot_restore_write_privileges: true

opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]

cluster.routing.allocation.disk.threshold_enabled: false

node.max_local_storage_nodes: 3

I used this in a Kubernetes Environment. The Elasticsearch nodes are running as Statefulset.

See
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-elasticsearch-fluentd-and-kibana-efk-logging-stack-on-kubernetes

For test environments you can use the demo certificates (already included in the docker image).

Btw: OpenIDconnect is sill not working.

Best regards

Lorenz

Hello,

maybe your CN in your certificates is different from the hostname you used for the Elasticsearch node.

In elasticsearch.yml I used this syntax:

CN=*.elasticsearch

The intention was: my Elasticsearch nodes have the hostnames es-cluster-0.elasticsearch, es-cluster-1.elasticsearch and so on.

Best regards

Lorenz

Thank you @llauber , I will try and let you know the outcome.