Opendistro_security.allow_unsafe_democertificates: true"

#1

Hello,
in this guide

it has been indicated that:
“Make sure to remove the entry:
opendistro_security.allow_unsafe_democertificates: true”

but this gives error:
Caused by: java.lang.RuntimeException: Demo certificates found [bdc141ab2272c779d0f242b79063152c49e1b06a2af05e0fd90d505f2b44d5f5, 3e839e2b059036a99ee4f742814995f2fb0ced7e9d68a47851f43a3c630b5324]

I have my self-signed certificates and they work.
I have eliminated the test certificates
But I need to have this line:

opendistro_security.allow_unsafe_democertificates: true

so that everything works.

I miss a documentation of how to connect an external machine
#2

I got past this error by deleting the example keys they provide in /etc/elasticsearch/config

#3

thank you. yes i did that and i also did not delete the line of code of default cert = true. and everything working. Thk!

#4

I’m using the rpm version of open distro version 6.6.2-1. I first tried to move the certs in to a temp folder under /etc/elasticsearch with no success. However, deleting the demo certs from the /etc/elasticsearch folder seems to have solved the issue. Please note that the above actually works by setting :

opendistro_security.allow_unsafe_democertificates: false

Hope this helps.

#5

i also using rpm version. and i have deleted the *.rpm and the elasticsearch.keystore and .elasticsearch.keystore.initial_md5sum from /etc/elasticsearch and also set opendistro_security.allow_unsafe_democertificates to false. but the elasticsearch failed to start with log:

systemctl -l status elasticsearch
● elasticsearch.service - Elasticsearch
   Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since 四 2019-05-02 15:18:39 CST; 3s ago
     Docs: http://www.elastic.co
  Process: 22351 ExecStart=/usr/share/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid --quiet (code=exited, status=1/FAILURE)
 Main PID: 22351 (code=exited, status=1/FAILURE)

5月 02 15:18:37 es.mylogs.com systemd[1]: Started Elasticsearch.
5月 02 15:18:39 es.mylogs.com elasticsearch[22351]: Exception in thread "main" org.elasticsearch.bootstrap.BootstrapException: org.elasticsearch.cli.UserException: unable to create temporary keystore at [/etc/elasticsearch/elasticsearch.keystore.tmp], please check filesystem permissions
5月 02 15:18:39 es.mylogs.com elasticsearch[22351]: Likely root cause: java.nio.file.AccessDeniedException: /etc/elasticsearch/elasticsearch.keystore.tmp
5月 02 15:18:39 es.mylogs.com elasticsearch[22351]: at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)
5月 02 15:18:39 es.mylogs.com elasticsearch[22351]: at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
5月 02 15:18:39 es.mylogs.com systemd[1]: elasticsearch.service: main process exited, code=exited, status=1/FAILURE
5月 02 15:18:39 es.mylogs.com systemd[1]: Unit elasticsearch.service entered failed state.
5月 02 15:18:39 es.mylogs.com systemd[1]: elasticsearch.service failed.

can you should some details to make it run ?

#6

I am using RPM installation on CentOS 7, i a way to bring up it(and i don’t know if this procedures works for bringing up a cluster):

  1. in the first round start, get the following settings to initialized the security index, and i can delete the demo certificates and upload our owns and also modify accordingly the configs under directory /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ before first round start:
opendistro_security.allow_default_init_securityindex: true
opendistro_security.allow_unsafe_democertificates: false
  1. after i successfully initialized the securityindex, we can restart it with the following setting change to false.
opendistro_security.allow_default_init_securityindex: false
  1. I keep the elasticsearch.keystore and i found that rw(0x6) permissions on pem files being asked for elasticsearch group and if you put your pems under a subdirectory of /etc/elasticsearch, also rwx(0x7) permissions on the subdirectory being asked for elasticsearch group from the logs.