Open justincr-elastic opened 2 years ago
Pinging @elastic/es-core-infra (Team:Core/Infra)
Pinging @elastic/es-security (Team:Security)
Pinging @elastic/es-delivery (Team:Delivery)
Thanks for looking into this. This issue has affected everyone I know who has tried to install ES recently.
@jkakavas do you see any issue with the security by default generated public certs having global read permissions?
@jkakavas do you see any issue with the security by default generated public certs having global read permissions?
No, I think the http_ca.crt
can ( and should be ) world readable. It was an oversight that we didn't do it in the first place, not a conscious design decision.
cc @albertzaharovits
@albertzaharovits where you able to take a look at this?
Any updates on this issue? Below is what I was able to achieve with copying the http_ca.crt
into /usr/local/share/ca-certificates/certs/ then ln -s
to /etc/ssl/certs
when I copy and link cert :
cp /etc/elasticsearch/certs/http_ca.crt /usr/local/share/ca-certificates/certs/http_ca.crt
chmod 640 /usr/local/share/ca-certificates/certs/http_ca.crt
c_rehash /usr/local/share/ca-certificates/certs/
cd /etc/ssl/certs
ln -s /usr/local/share/ca-certificates/http_ca.crt http_ca.crt
chmod 640 /etc/ssl/certs/http_ca.crt
c_rehash
NOTE: ownership is already set to root:root on /etc/ssl/certs/http_ca.crt
then run curl cmd:
curl --cacert /etc/ssl/certs/http_ca.crt -u elastic https://localhost:9200/
I get the desired results; ES summary data.
curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200/
continues to generate the curl 77 error mentioned in the original post. Even after this change.
I am guessing/hoping that I can update the elasticsearch.yml
to point to the cert in /etc/ssl/certs
and everything will work without issue. Until there is an update that could break that connection.
I am using ubuntu server 20.04 LTS // ES 8.4
The error occurs by default ES install on Debian Bullseye as well. Changing the permissions enables curl to connect with the --cacert flag (and without -k).
Do you have any update on this? Fresh Debian install via repository and we still get the error as stated.
I ran into this on Debian 12.5.0. I got this working by running the following commands:
sudo chmod a+rx /etc/elasticsearch
sudo chmod a+rx /etc/elasticsearch/certs
sudo chmod a+r /etc/elasticsearch/certs/http_ca.crt
Elasticsearch Version
8.2.2
Installed Plugins
No response
Java Version
bundled
OS Version
Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS (Linux ncc-1701-d 5.15.0-39-generic #42-Ubuntu SMP Thu Jun 9 23:42:32 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux)
Problem Description
I reproduced a
Security on by default
issue in Discuss related to Ubuntu/Debian install.HTTPS certs (CA and server) are generated at install time. However, they are placed in a directory with no global read permission. Non-privileged users cannot access the HTTPS CA cert for use in HTTPS clients (ex: curl).
This seems like an install issue for how permissions are setup during install.
Steps to Reproduce
Install and Run Elasticsearch (as per the Discuss problem description)
Reproduce the permissions issue with
curl
Demonstrate the permissions issue with
ls
Logs (if relevant)
n/a