Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

certutil fails with PEM and empty passwords #93494

Closed
nuno-andre opened this issue Feb 6, 2023 · 2 comments
Closed

certutil fails with PEM and empty passwords #93494

nuno-andre opened this issue Feb 6, 2023 · 2 comments
Labels
>non-issue

Comments

@nuno-andre
Copy link

Elasticsearch Version

Version: 8.6.1, Build: deb/180c9830da956993e59e2cd70eb32b5e383ea42c/2023-01-24T21:35:11.506992272Z, JVM: 19.0.1

Installed Plugins

No response

Java Version

bundled

OS Version

Linux elk-poc-1 5.15.0-58-generic #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Problem Description

elasticsearch-certutil cert raises java.lang.IllegalArgumentException: password empty with --pass "" and/or --ca-pass "" arguments when executed with --pem (but not with PKCS#12).

This command runs properly:

./bin/elasticsearch-certutil cert \
  --in certs/instances.yml \
  --out certs/certs.p12 \
  --pass "" \
  --ca-cert certs/ca.crt \
  --ca-key certs/ca.key \
  --ca-pass "" \
  --silent

Steps to Reproduce

./bin/elasticsearch-certutil cert \
  --in certs/instances.yml \
  --out certs/certs.zip \
  --pass "" \
  --ca-cert certs/ca/ca.crt \
  --ca-key certs/ca/ca.key \
  --ca-pass "" \
  --silent \
  --pem

Logs (if relevant)

Exception in thread "main" java.lang.IllegalArgumentException: password empty
        at org.bouncycastle.jcajce.provider.symmetric.OpenSSLPBKDF$PBKDF.engineGenerateSecret(Unknown Source)
        at java.base/javax.crypto.SecretKeyFactory.generateSecret(SecretKeyFactory.java:333)
        at org.bouncycastle.openssl.jcajce.PEMUtilities.getKey(Unknown Source)
        at org.bouncycastle.openssl.jcajce.PEMUtilities.getKey(Unknown Source)
        at org.bouncycastle.openssl.jcajce.PEMUtilities.crypt(Unknown Source)
        at org.bouncycastle.openssl.jcajce.JcePEMEncryptorBuilder$1.encrypt(Unknown Source)
        at org.bouncycastle.openssl.MiscPEMGenerator.createPemObject(Unknown Source)
        at org.bouncycastle.openssl.MiscPEMGenerator.generate(Unknown Source)
        at org.bouncycastle.util.io.pem.PemWriter.writeObject(Unknown Source)
        at org.bouncycastle.openssl.jcajce.JcaPEMWriter.writeObject(Unknown Source)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.lambda$generateAndWriteSignedCertificates$0(CertificateTool.java:812)
        at org.elasticsearch.xpack.security.cli.CertificateTool.withPassword(CertificateTool.java:1036)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.lambda$generateAndWriteSignedCertificates$1(CertificateTool.java:811)
        at org.elasticsearch.xpack.security.cli.CertificateTool.lambda$fullyWriteZipFile$0(CertificateTool.java:1052)
        at org.elasticsearch.xpack.security.cli.CertificateTool.fullyWriteFile(CertificateTool.java:1096)
        at org.elasticsearch.xpack.security.cli.CertificateTool.fullyWriteZipFile(CertificateTool.java:1047)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.generateAndWriteSignedCertificates(CertificateTool.java:789)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.execute(CertificateTool.java:716)
        at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:54)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
        at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:94)
        at org.elasticsearch.xpack.security.cli.CertificateTool.execute(CertificateTool.java:160)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
        at org.elasticsearch.cli.Command.main(Command.java:50)
        at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:64)
@nuno-andre nuno-andre added >bug needs:triage Requires assignment of a team area label labels Feb 6, 2023
@nuno-andre nuno-andre changed the title certuilt fails with PEM and empty passwords certutil fails with PEM and empty passwords Feb 6, 2023
@HiDAl
Copy link
Contributor

HiDAl commented Feb 7, 2023

Hello @nuno-andre,

From your comment, it seems like you want PEM certificates without a password. From our documentation:

--pass
Specifies the password for the generated private keys. This parameter cannot be used with the http parameters.

Keys stored in PKCS#12 format are always password protected, however, this password may be blank. If you want to specify a blank password without a prompt, use --pass "" (with no =) on the command line.

Keys stored in PEM format are password protected only if the --pass parameter is specified. If you do not supply an argument for the --pass parameter, you are prompted for a password. Encrypted PEM files do not support blank passwords (if you do not wish to password-protect your PEM keys, then do not specify --pass).

So, you'll need to remove the --pass option from your command to make it work.

I hope this helps to clarify your question.

Cheers

@HiDAl HiDAl closed this as completed Feb 7, 2023
@HiDAl HiDAl added >non-issue and removed >bug needs:triage Requires assignment of a team area label labels Feb 7, 2023
@nuno-andre
Copy link
Author

Hello @HiDAl!

Sorry for the confusion. I was modifying a deployment with PKCS #12 and I took for granted that I needed to indicate those parameters to avoid the password prompt. I have now verified that this is not the case. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
>non-issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@HiDAl @nuno-andre