Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

certutil cert: Errors when using - as a first character for --pass and probably --ca-pass #94270

Open
e42sh opened this issue Mar 2, 2023 · 2 comments
Open

certutil cert: Errors when using - as a first character for --pass and probably --ca-pass #94270

e42sh opened this issue Mar 2, 2023 · 2 comments
Labels
>bug :Security/TLS SSL/TLS, Certificates Team:Security Meta label for security team

Comments

@e42sh
Copy link

e42sh commented Mar 2, 2023
edited

Elasticsearch Version

8.4.3

Installed Plugins

No response

Java Version

bundled

OS Version

uname -a
Linux ip-10-143-255-136.eu-central-1.compute.internal 4.14.305-227.531.amzn2.x86_64 #1 SMP Tue Feb 14 09:55:28 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Problem Description

During the startup sequence I use the pregenerated password for transport.

transport_pass="$(elasticsearch-keystore show xpack.security.transport.ssl.keystore.secure_password)"
elasticsearch-certutil cert --silent --ca ca.p12 --days 90 --dns es.local --ip 127.0.0.1 --name transport --pass "$transport_pass" --ca-pass "" --out transport.p12

if transport_pass is starting with a - the certutil fails.

Example:

bin/elasticsearch-certutil cert --silent --ca ca.p12 --days 90 --dns es.local --ip 127.0.0.1 --name transport --pass '-ftest' --ca-pass "" --out transport.p12

This command results in

Simplifies certificate creation for use with the Elastic Stack

Non-option arguments:
command

Option             Description
------             -----------
-E <KeyValuePair>  Configure a setting
-h, --help         Show help
-s, --silent       Show minimal output
-v, --verbose      Show verbose output
ERROR: f is not a recognized option

Steps to Reproduce

bin/elasticsearch-certutil cert --silent --ca ca.p12 --days 90 --dns es.local --ip 127.0.0.1 --name transport --pass '-ftest' --ca-pass "" --out transport.p12

Logs (if relevant)

No response
@e42sh e42sh added >bug needs:triage Requires assignment of a team area label labels Mar 2, 2023
@e42sh e42sh changed the title certutil cert: Errors when using - as a first character for --pass / --ca-pass certutil cert: Errors when using - as a first character for --pass and probably --ca-pass Mar 2, 2023
@HiDAl HiDAl added :Security/TLS SSL/TLS, Certificates Team:Security Meta label for security team and removed needs:triage Requires assignment of a team area label labels Mar 6, 2023
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@ywangd
Copy link
Member

ywangd commented Mar 8, 2023

You can use the alternative form for specifying values with special characters, i.e. instead of --pass '-ftest', use --pass=-ftest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
>bug :Security/TLS SSL/TLS, Certificates Team:Security Meta label for security team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@HiDAl @e42sh @ywangd @elasticsearchmachine