Exception java.lang.NullPointerException

I am seeing the following error in my elasticsearch log:

java.lang.NullPointerException: Cannot invoke “String.toCharArray()” because the return value of “com.amazon.opendistroforelasticsearch.commons.rest.SecureRestClientBuilder.getKeystorePasswd()” is null

I have not been able to find anything to point me in a direction that would lead me to solving this. Any help on this would be greatly appreciated.

Hi,
I’m seeing the same error after the upgrade to ODFE 1.11.0.

Looking at the code now it seems it is required to provide also the following setting:
opendistro_security.ssl.http.keystore_keypassword

Is this a bug or a breaking change? There’s no mention of this at all in the documentation.

Thanks.

FYI - In my elasticsearch.yml , I am setting opendistro_security.ssl.http.keystore_keypassword:

opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.transport.resolve_hostname: false
opendistro_security.ssl.transport.keystore_type: PKCS12
opendistro_security.ssl.transport.keystore_filepath: MASTEROFTHEUNIVERSE01.keystore
opendistro_security.ssl.transport.keystore_alias: MASTEROFTHEUNIVERSE01
opendistro_security.ssl.transport.keystore_password: NotARealPassword
opendistro_security.ssl.transport.truststore_filepath: MASTEROFTHEUNIVERSE01.trust
opendistro_security.ssl.transport.truststore_password: NotARealPassword
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.keystore_type: PKCS12
opendistro_security.ssl.http.keystore_filepath: MASTEROFTHEUNIVERSE01.keystore
opendistro_security.ssl.http.keystore_alias: MASTEROFTHEUNIVERSE01
opendistro_security.ssl.http.keystore_password: NotARealPassword
opendistro_security.ssl.http.truststore_type: PKCS12
opendistro_security.ssl.http.truststore_filepath: HEMAN_MASTEROFTHEUNIVERSE01.trust
opendistro_security.ssl.http.truststore_password: NotARealPassword

opendistro_security.allow_unsafe_democertificates: false
opendistro_security.allow_default_init_securityindex: true
opendistro_security.ssl.http.enabled_protocols:

  • “TLSv1.2”
  • “TLSv1.3”
    opendistro_security.ssl.http.enabled_ciphers:
  • “TLS_AES_256_GCM_SHA384”
  • “TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256”
  • “TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384”
  • “TLS_DHE_RSA_WITH_AES_256_GCM_SHA384”
  • “TLS_DHE_RSA_WITH_AES_128_GCM_SHA256”
    opendistro_security.authcz.admin_dn:
  • ‘CN=Peaon,O=SomeOrg,O=SomeOrg,L=SomeCity,ST=SomeState,C=ComeCountry’
    opendistro_security.nodes_dn:
  • ‘CN=HEMAN*’
    opendistro_security.ssl.transport.enabled_protocols:
  • “TLSv1.2”
  • “TLSv1.3”
    opendistro_security.ssl.transport.enabled_ciphers:
  • “TLS_AES_256_GCM_SHA384”
  • “TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256”
  • “TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384”
  • “TLS_DHE_RSA_WITH_AES_256_GCM_SHA384”
  • “TLS_DHE_RSA_WITH_AES_128_GCM_SHA256”
    opendistro_security.ssl.http.clientauth_mode: OPTIONAL
    cluster.routing.allocation.disk.threshold_enabled: true
    opendistro_security.audit.type: internal_elasticsearch
    opendistro_security.enable_snapshot_restore_privilege: true
    opendistro_security.check_snapshot_restore_write_privileges: true
    opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
    opendistro_security.system_indices.enabled: true
    opendistro_security.system_indices.indices: [".opendistro-alerting-config", “.opendistro-alerting-alert*”]

I am running elasticsearch: elasticsearch-oss-7.9.1-1.x86_64

I could try and downgrade to 7.8.1-1

Mind the syntax:

opendistro_security.ssl.http.keystore_keypassword

not

opendistro_security.ssl.http.keystore_password

From the code now it seems that both settings are required, even if only the second is documented.

Regards

Downgraded to ODFE 1.10.0. I had to remove these two lines from my config:

opendistro_security.system_indices.enabled: true
opendistro_security.system_indices.indices: [".opendistro-alerting-config", “.opendistro-alerting-alert*”]

After that, elasticsearch is starting up

@alexz00

Thank you Alex for pointing that out. I have added opendistro_security.ssl.http.keystore_keypassword on my another node, which is still ODFE 1.11. After adding that - Elasticsearch is starting up.