elastic / elasticsearch

Free and Open Source, Distributed, RESTful Search Engine
https://www.elastic.co/products/elasticsearch
Other
1.23k stars 24.85k forks source link

Permission denied for `/etc/elasticsearch/certs/http_ca.crt` after install on Debian #87862

Open justincr-elastic opened 2 years ago

justincr-elastic commented 2 years ago

Elasticsearch Version

8.2.2

Installed Plugins

No response

Java Version

bundled

OS Version

Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS (Linux ncc-1701-d 5.15.0-39-generic #42-Ubuntu SMP Thu Jun 9 23:42:32 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux)

Problem Description

I reproduced a Security on by default issue in Discuss related to Ubuntu/Debian install.

HTTPS certs (CA and server) are generated at install time. However, they are placed in a directory with no global read permission. Non-privileged users cannot access the HTTPS CA cert for use in HTTPS clients (ex: curl).

This seems like an install issue for how permissions are setup during install.

Steps to Reproduce

Install and Run Elasticsearch (as per the Discuss problem description)

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
sudo apt-get install apt-transport-https
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
sudo apt-get update
sudo apt-get install elasticsearch
sudo systemctl start elasticsearch.service

Reproduce the permissions issue with curl

$ curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200/
curl: (77) error setting certificate file: /etc/elasticsearch/certs/http_ca.crt

Demonstrate the permissions issue with ls

$ ls -l /etc/elasticsearch/certs/http_ca.crt
ls: cannot access '/etc/elasticsearch/certs/http_ca.crt': Permission denied

$ ls -l /etc | grep elasticsearch
drwxr-s---  4 root elasticsearch  4096 Jun 17 09:21 elasticsearch

$ ls -l /var/log | grep elasticsearch
drwxr-s---  2 elasticsearch     elasticsearch       4096 Jun 17 09:29 elasticsearch

Logs (if relevant)

n/a

elasticmachine commented 2 years ago

Pinging @elastic/es-core-infra (Team:Core/Infra)

elasticmachine commented 2 years ago

Pinging @elastic/es-security (Team:Security)

elasticmachine commented 2 years ago

Pinging @elastic/es-delivery (Team:Delivery)

philbb commented 2 years ago

Thanks for looking into this. This issue has affected everyone I know who has tried to install ES recently.

mark-vieira commented 2 years ago

@jkakavas do you see any issue with the security by default generated public certs having global read permissions?

jkakavas commented 2 years ago

@jkakavas do you see any issue with the security by default generated public certs having global read permissions?

No, I think the http_ca.crt can ( and should be ) world readable. It was an oversight that we didn't do it in the first place, not a conscious design decision.

cc @albertzaharovits

mark-vieira commented 2 years ago

@albertzaharovits where you able to take a look at this?

dci-sigh commented 2 years ago

Any updates on this issue? Below is what I was able to achieve with copying the http_ca.crt into /usr/local/share/ca-certificates/certs/ then ln -s to /etc/ssl/certs

when I copy and link cert :

cp /etc/elasticsearch/certs/http_ca.crt /usr/local/share/ca-certificates/certs/http_ca.crt chmod 640 /usr/local/share/ca-certificates/certs/http_ca.crt c_rehash /usr/local/share/ca-certificates/certs/

cd /etc/ssl/certs ln -s /usr/local/share/ca-certificates/http_ca.crt http_ca.crt chmod 640 /etc/ssl/certs/http_ca.crt c_rehash

NOTE: ownership is already set to root:root on /etc/ssl/certs/http_ca.crt

then run curl cmd:

curl --cacert /etc/ssl/certs/http_ca.crt -u elastic https://localhost:9200/

I get the desired results; ES summary data.

curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200/ continues to generate the curl 77 error mentioned in the original post. Even after this change.

I am guessing/hoping that I can update the elasticsearch.yml to point to the cert in /etc/ssl/certs and everything will work without issue. Until there is an update that could break that connection.

I am using ubuntu server 20.04 LTS // ES 8.4

joh4nd commented 9 months ago

The error occurs by default ES install on Debian Bullseye as well. Changing the permissions enables curl to connect with the --cacert flag (and without -k).

agg-mb commented 7 months ago

Do you have any update on this? Fresh Debian install via repository and we still get the error as stated.

cspencer51 commented 1 month ago

I ran into this on Debian 12.5.0. I got this working by running the following commands:

sudo chmod a+rx /etc/elasticsearch
sudo chmod a+rx /etc/elasticsearch/certs
sudo chmod a+r /etc/elasticsearch/certs/http_ca.crt