Setup-passwords command fails due to connection failureedit
The elasticsearch-setup-passwords command sets passwords for the built-in users by sending user management API requests. If your cluster uses SSL/TLS for the HTTP (REST) interface, the command attempts to establish a connection with the HTTPS protocol. If the connection attempt fails, the command fails.
Symptoms:
-
Elasticsearch is running HTTPS, but the command fails to detect it and returns the following errors:
Cannot connect to elasticsearch node. java.net.SocketException: Unexpected end of file from server ... ERROR: Failed to connect to elasticsearch at http://127.0.0.1:9200/_security/_authenticate?pretty. Is the URL correct and elasticsearch running?
-
SSL/TLS is configured, but trust cannot be established. The command returns the following errors:
SSL connection to https://127.0.0.1:9200/_security/_authenticate?pretty failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Please check the elasticsearch SSL settings under xpack.security.http.ssl. ... ERROR: Failed to establish SSL connection to elasticsearch at https://127.0.0.1:9200/_security/_authenticate?pretty.
-
The command fails because hostname verification fails, which results in the following errors:
SSL connection to https://idp.localhost.test:9200/_security/_authenticate?pretty failed: java.security.cert.CertificateException: No subject alternative DNS name matching elasticsearch.example.com found. Please check the elasticsearch SSL settings under xpack.security.http.ssl. ... ERROR: Failed to establish SSL connection to elasticsearch at https://elasticsearch.example.com:9200/_security/_authenticate?pretty.
Resolution:
-
If your cluster uses TLS/SSL for the HTTP interface but the
elasticsearch-setup-passwords
command attempts to establish a non-secure connection, use the--url
command option to explicitly specify an HTTPS URL. Alternatively, set thexpack.security.http.ssl.enabled
setting totrue
. -
If the command does not trust the Elasticsearch server, verify that you configured the
xpack.security.http.ssl.certificate_authorities
setting or thexpack.security.http.ssl.truststore.path
setting. -
If hostname verification fails, you can disable this verification by setting
xpack.security.http.ssl.verification_mode
tocertificate
.
For more information about these settings, see Security settings.