elasticmachine
commented
2 years ago Pinging @elastic/es-core-infra (Team:Core/Infra)
Open justincr-elastic opened 2 years ago
elasticmachine
commented
2 years ago Pinging @elastic/es-core-infra (Team:Core/Infra)
elasticmachine
commented
2 years ago Pinging @elastic/es-security (Team:Security)
elasticmachine
commented
2 years ago Pinging @elastic/es-delivery (Team:Delivery)
philbb
commented
2 years ago Thanks for looking into this. This issue has affected everyone I know who has tried to install ES recently.
mark-vieira
commented
2 years ago @jkakavas do you see any issue with the security by default generated public certs having global read permissions?
jkakavas
commented
2 years ago @jkakavas do you see any issue with the security by default generated public certs having global read permissions?
No, I think the http_ca.crt can ( and should be ) world readable. It was an oversight that we didn't do it in the first place, not a conscious design decision.
cc @albertzaharovits
mark-vieira
commented
2 years ago @albertzaharovits where you able to take a look at this?
dci-sigh
commented
1 year ago Any updates on this issue? Below is what I was able to achieve with copying the http_ca.crt into /usr/local/share/ca-certificates/certs/ then ln -s to /etc/ssl/certs
when I copy and link cert :
cp /etc/elasticsearch/certs/http_ca.crt /usr/local/share/ca-certificates/certs/http_ca.crt
chmod 640 /usr/local/share/ca-certificates/certs/http_ca.crt
c_rehash /usr/local/share/ca-certificates/certs/
cd /etc/ssl/certs
ln -s /usr/local/share/ca-certificates/http_ca.crt http_ca.crt
chmod 640 /etc/ssl/certs/http_ca.crt
c_rehash
NOTE: ownership is already set to root:root on /etc/ssl/certs/http_ca.crt
then run curl cmd:
curl --cacert /etc/ssl/certs/http_ca.crt -u elastic https://localhost:9200/
I get the desired results; ES summary data.
curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200/
continues to generate the curl 77 error mentioned in the original post. Even after this change.
I am guessing/hoping that I can update the elasticsearch.yml to point to the cert in /etc/ssl/certs and everything will work without issue. Until there is an update that could break that connection.
I am using ubuntu server 20.04 LTS // ES 8.4
joh4nd
commented
7 months ago The error occurs by default ES install on Debian Bullseye as well. Changing the permissions enables curl to connect with the --cacert flag (and without -k).
agg-mb
commented
4 months ago Do you have any update on this? Fresh Debian install via repository and we still get the error as stated.
Elasticsearch Version
8.2.2
Installed Plugins
No response
Java Version
bundled
OS Version
Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS (Linux ncc-1701-d 5.15.0-39-generic #42-Ubuntu SMP Thu Jun 9 23:42:32 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux)
Problem Description
I reproduced a
Security on by defaultissue in Discuss related to Ubuntu/Debian install.HTTPS certs (CA and server) are generated at install time. However, they are placed in a directory with no global read permission. Non-privileged users cannot access the HTTPS CA cert for use in HTTPS clients (ex: curl).
This seems like an install issue for how permissions are setup during install.
Steps to Reproduce
Install and Run Elasticsearch (as per the Discuss problem description)
Reproduce the permissions issue with
curlDemonstrate the permissions issue with
lsLogs (if relevant)
n/a