[NXP-29174] Fix connection to Elasticsearch and SSL - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 10.10
Fix Version/s: 10.10-HF28, 11.1, 2021.0
Component/s: Elasticsearch

Release Notes Summary:
SSL connection to Elasticsearch works with certificates.
Tags:
- SupCom
- nxsupport
Backlog priority:
900
Sprint:
nxsupport 11.1.6, nxsupport 11.1.7

Description

Configuring Nuxeo to use Elasticsearch with SSL as described in this nuxeo.conf excerpt

elasticsearch.addressList=https://elastic1:9200,https://elastic2:9200,https://elastic3:9200
elasticsearch.restClient.username=elastic
elasticsearch.restClient.password=xxxxxxxx
elasticsearch.restClient.truststore.path=/opt/nuxeo/server/cacerts
elasticsearch.restClient.truststore.password=xxxxx
elasticsearch.restClient.truststore.type=jks
elasticsearch.restClient.keystore.path=/opt/nuxeo/server/nuxeo.jks
elasticsearch.restClient.keystore.password=xxxxxx
elasticsearch.restClient.keystore.type=jks

leads to this error

ERROR [ComponentManager] Component service:org.nuxeo.elasticsearch.ElasticSearchComponent notification of application started failed: Cannot setup SSL for RestClient: ElasticSearchClientConfig{options={keyStoreType=jks, trustStorePassword=xxxxxx, password=xxxxxx, keyStorePassword=xxxxxx, addressList=https://elastic1:9200,https://elastic2:9200,https://elastic3:9200, connection.timeout.ms=30000, trustStorePath=/opt/nuxeo/server/cacerts, trustStoreType=jks, socket.timeout.ms=20000, keyStorePath=/opt/nuxeo/server/nuxeo.jks, username=elastic}}
org.nuxeo.ecm.core.api.NuxeoException: Cannot setup SSL for RestClient: ElasticSearchClientConfig{options={keyStoreType=jks, trustStorePassword=xxxxx, password=xxxxxxx, keyStorePassword=xxxxxx, addressList=https://elastic1:9200,https://elastic2:9200,https://elastic3:9200, connection.timeout.ms=30000, trustStorePath=/opt/nuxeo/server/cacerts, trustStoreType=jks, socket.timeout.ms=20000, keyStorePath=/opt/nuxeo/server/nuxeo.jks, username=elastic}}
        at org.nuxeo.elasticsearch.client.ESRestClientFactory.getSslContext(ESRestClientFactory.java:221) ~[nuxeo-elasticsearch-core-10.10-HF25.jar:?]
        at org.nuxeo.elasticsearch.client.ESRestClientFactory.addClientCallback(ESRestClientFactory.java:173) ~[nuxeo-elasticsearch-core-10.10-HF25.jar:?]
        at org.nuxeo.elasticsearch.client.ESRestClientFactory.createRestClient(ESRestClientFactory.java:165) ~[nuxeo-elasticsearch-core-10.10-HF25.jar:?]
        at org.nuxeo.elasticsearch.client.ESRestClientFactory.create(ESRestClientFactory.java:110) ~[nuxeo-elasticsearch-core-10.10-HF25.jar:?]
        at org.nuxeo.elasticsearch.core.ElasticSearchAdminImpl.createClient(ElasticSearchAdminImpl.java:160) ~[nuxeo-elasticsearch-core-10.10-HF25.jar:?]
        at org.nuxeo.elasticsearch.core.ElasticSearchAdminImpl.connect(ElasticSearchAdminImpl.java:123) ~[nuxeo-elasticsearch-core-10.10-HF25.jar:?]
        at org.nuxeo.elasticsearch.core.ElasticSearchAdminImpl.<init>(ElasticSearchAdminImpl.java:105) ~[nuxeo-elasticsearch-core-10.10-HF25.jar:?]
        at org.nuxeo.elasticsearch.ElasticSearchComponent.start(ElasticSearchComponent.java:181) ~[nuxeo-elasticsearch-core-10.10-HF25.jar:?]
        at org.nuxeo.runtime.model.impl.RegistrationInfoImpl.start(RegistrationInfoImpl.java:381) [nuxeo-runtime-10.10-HF10.jar:?]
...
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343) [bootstrap-9.0.34.jar:9.0.34]
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474) [bootstrap-9.0.34.jar:9.0.34]
Caused by: java.security.UnrecoverableKeyException: Password must not be null
        at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:134) ~[?:1.8.0_252]
        at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:57) ~[?:1.8.0_252]
        at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96) ~[?:1.8.0_252]
        at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:71) ~[?:1.8.0_252]
        at java.security.KeyStore.getKey(KeyStore.java:1023) ~[?:1.8.0_252]
        at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133) ~[?:1.8.0_252]
        at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70) ~[?:1.8.0_252]
        at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) ~[?:1.8.0_252]
        at org.apache.http.ssl.SSLContextBuilder.loadKeyMaterial(SSLContextBuilder.java:302) ~[httpcore-4.4.10.jar:4.4.10]
        at org.apache.http.ssl.SSLContextBuilder.loadKeyMaterial(SSLContextBuilder.java:323) ~[httpcore-4.4.10.jar:4.4.10]
        at org.nuxeo.elasticsearch.client.ESRestClientFactory.getSslContext(ESRestClientFactory.java:217) ~[nuxeo-elasticsearch-core-10.10-HF25.jar:?]
        ... 59 more

Applying the same fix as for MongoDB connection with SSL (~~NXP-27694~~) should fix the problem.