Unable to run set-password in Elasticsearch 6.x (keystore password was incorrect)

Question

I'm setting up a 6.1.2 windows cluster and have a gold license. This is the first machine in the cluster so I have generated a CA cert with a password and placed it in the ES_HOME config directory.

relevant keys from the elasticsearch.yml file:

xpack.ssl.keystore.path: elastic-stack-test-ca.p12

xpack.ssl.truststore.path: elastic-stack-test-ca.p12

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.http.ssl.enabled: true

I have run through the docs and am currently trying to complete step 7 of the Elasticsearch installation.

Unfortunately this command "Elasticsearch\6.1.2\bin\x-pack\setup-passwords auto" is throwing an exception.

Exception:

Exception in thread "main" ElasticsearchException[failed to initialize a TrustManagerFactory]; nested: IOException[keystore password was incorrect]; nested: UnrecoverableKeyException[failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded];
at org.elasticsearch.xpack.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:61)
at org.elasticsearch.xpack.ssl.SSLService.createSslContext(SSLService.java:408)
at org.elasticsearch.xpack.ssl.SSLService.loadSSLConfigurations(SSLService.java:444)
at org.elasticsearch.xpack.ssl.SSLService.(SSLService.java:87)
at org.elasticsearch.xpack.security.authc.esnative.tool.CommandLineHttpClient.postURL(CommandLineHttpClient.java:91)
at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$SetupCommand.checkElasticKeystorePasswordValid(SetupPasswordTool.java:278)
at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$AutoSetup.execute(SetupPasswordTool.java:127)
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:75)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.Command.main(Command.java:90)
at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool.main(SetupPasswordTool.java:105)
Caused by: java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.elasticsearch.xpack.ssl.CertUtils.readKeyStore(CertUtils.java:230)
at org.elasticsearch.xpack.ssl.CertUtils.trustManager(CertUtils.java:221)
at org.elasticsearch.xpack.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:59)

I don't see anywhere in the Set Passwords Command where you pass the password for the keystore.

Hoping someone can shed some light on what I might be doing wrong, or my next steps. This error is blocking me from installing Kibana and Logstash.

Thank you, Stephen

Answer 1

After digging in a bit it turned out that my JAVA HOME was pointing to a 9.x version, once I change the HOME to be a compatible version, 8 in this case, everything worked as documented.