WARNING: Version 6.2 of the Elastic Stack has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Setup-passwords command fails due to connection failure
editSetup-passwords command fails due to connection failure
editThe setup-passwords command sets passwords for the built-in users by sending user management API requests. If your cluster uses SSL/TLS for the HTTP (REST) interface, the command attempts to establish a connection with the HTTPS protocol. If the connection attempt fails, the command fails.
Symptoms:
-
Elasticsearch is running HTTPS, but the command fails to detect it and returns the following errors:
Cannot connect to elasticsearch node. java.net.SocketException: Unexpected end of file from server ... ERROR: Failed to connect to elasticsearch at http://127.0.0.1:9200/_xpack/security/_authenticate?pretty. Is the URL correct and elasticsearch running?
-
SSL/TLS is configured, but trust cannot be established. The command returns the following errors:
SSL connection to https://127.0.0.1:9200/_xpack/security/_authenticate?pretty failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Please check the elasticsearch SSL settings under xpack.security.http.ssl. ... ERROR: Failed to establish SSL connection to elasticsearch at https://127.0.0.1:9200/_xpack/security/_authenticate?pretty.
-
The command fails because hostname verification fails, which results in the following errors:
SSL connection to https://idp.localhost.test:9200/_xpack/security/_authenticate?pretty failed: java.security.cert.CertificateException: No subject alternative DNS name matching elasticsearch.example.com found. Please check the elasticsearch SSL settings under xpack.security.http.ssl. ... ERROR: Failed to establish SSL connection to elasticsearch at https://elasticsearch.example.com:9200/_xpack/security/_authenticate?pretty.
Resolution:
-
If your cluster uses TLS/SSL for the HTTP interface but the
setup-passwords
command attempts to establish a non-secure connection, use the--url
command option to explicitly specify an HTTPS URL. Alternatively, set thexpack.security.http.ssl.enabled
setting totrue
. -
If the command does not trust the Elasticsearch server, verify that you configured the
xpack.security.http.ssl.certificate_authorities
setting or thexpack.security.http.ssl.truststore.path
setting. -
If hostname verification fails, you can disable this verification by setting
xpack.security.http.ssl.verification_mode
tocertificate
.
For more information about these settings, see Security Settings in Elasticsearch.