You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Linux elk-poc-1 5.15.0-58-generic #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Problem Description
elasticsearch-certutil cert raises java.lang.IllegalArgumentException: password empty with --pass "" and/or --ca-pass "" arguments when executed with --pem (but not with PKCS#12).
Exception in thread "main" java.lang.IllegalArgumentException: password empty
at org.bouncycastle.jcajce.provider.symmetric.OpenSSLPBKDF$PBKDF.engineGenerateSecret(Unknown Source)
at java.base/javax.crypto.SecretKeyFactory.generateSecret(SecretKeyFactory.java:333)
at org.bouncycastle.openssl.jcajce.PEMUtilities.getKey(Unknown Source)
at org.bouncycastle.openssl.jcajce.PEMUtilities.getKey(Unknown Source)
at org.bouncycastle.openssl.jcajce.PEMUtilities.crypt(Unknown Source)
at org.bouncycastle.openssl.jcajce.JcePEMEncryptorBuilder$1.encrypt(Unknown Source)
at org.bouncycastle.openssl.MiscPEMGenerator.createPemObject(Unknown Source)
at org.bouncycastle.openssl.MiscPEMGenerator.generate(Unknown Source)
at org.bouncycastle.util.io.pem.PemWriter.writeObject(Unknown Source)
at org.bouncycastle.openssl.jcajce.JcaPEMWriter.writeObject(Unknown Source)
at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.lambda$generateAndWriteSignedCertificates$0(CertificateTool.java:812)
at org.elasticsearch.xpack.security.cli.CertificateTool.withPassword(CertificateTool.java:1036)
at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.lambda$generateAndWriteSignedCertificates$1(CertificateTool.java:811)
at org.elasticsearch.xpack.security.cli.CertificateTool.lambda$fullyWriteZipFile$0(CertificateTool.java:1052)
at org.elasticsearch.xpack.security.cli.CertificateTool.fullyWriteFile(CertificateTool.java:1096)
at org.elasticsearch.xpack.security.cli.CertificateTool.fullyWriteZipFile(CertificateTool.java:1047)
at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.generateAndWriteSignedCertificates(CertificateTool.java:789)
at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.execute(CertificateTool.java:716)
at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:54)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:94)
at org.elasticsearch.xpack.security.cli.CertificateTool.execute(CertificateTool.java:160)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
at org.elasticsearch.cli.Command.main(Command.java:50)
at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:64)
The text was updated successfully, but these errors were encountered:
From your comment, it seems like you want PEM certificates without a password. From our documentation:
--pass
Specifies the password for the generated private keys. This parameter cannot be used with the http parameters.
Keys stored in PKCS#12 format are always password protected, however, this password may be blank. If you want to specify a blank password without a prompt, use --pass "" (with no =) on the command line.
Keys stored in PEM format are password protected only if the --pass parameter is specified. If you do not supply an argument for the --pass parameter, you are prompted for a password. Encrypted PEM files do not support blank passwords (if you do not wish to password-protect your PEM keys, then do not specify --pass).
So, you'll need to remove the --pass option from your command to make it work.
Sorry for the confusion. I was modifying a deployment with PKCS #12 and I took for granted that I needed to indicate those parameters to avoid the password prompt. I have now verified that this is not the case. Thanks!
Elasticsearch Version
Version: 8.6.1, Build: deb/180c9830da956993e59e2cd70eb32b5e383ea42c/2023-01-24T21:35:11.506992272Z, JVM: 19.0.1
Installed Plugins
No response
Java Version
bundled
OS Version
Linux elk-poc-1 5.15.0-58-generic #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Problem Description
elasticsearch-certutil cert
raisesjava.lang.IllegalArgumentException: password empty
with--pass ""
and/or--ca-pass ""
arguments when executed with--pem
(but not with PKCS#12).This command runs properly:
Steps to Reproduce
Logs (if relevant)
The text was updated successfully, but these errors were encountered: