Fix secure settings in Elasticsearch keystore for SSL passwords

2025-03-16 20:12:19 +01:00 · 2025-03-16 20:12:19 +01:00 · 167128b6a7
commit 167128b6a7
parent 81830ce99f
2 changed files with 57 additions and 32 deletions
--- a/elasticsearch.yml
+++ b/elasticsearch.yml
@ -25,9 +25,7 @@ xpack.security.enabled: true
 xpack.security.transport.ssl.enabled: true
 xpack.security.transport.ssl.verification_mode: certificate
 xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
-xpack.security.transport.ssl.keystore.password: cloudron
 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
-xpack.security.transport.ssl.truststore.password: cloudron
 xpack.security.http.ssl.enabled: false
 xpack.security.authc.token.enabled: false
 xpack.security.authc.api_key.enabled: false
--- a/start.sh
+++ b/start.sh
@ -85,35 +85,19 @@ configure_elasticsearch() {
    chmod 755 $ES_PATH_CONF
    chown -R elasticsearch:elasticsearch $ES_PATH_CONF
    
-    # Handle keystore creation and password with proper error handling
-    if [ ! -f $ES_PATH_CONF/elasticsearch.keystore ] || [ "$1" = "force" ]; then
-        echo "Creating Elasticsearch keystore..."
-        
-        # Remove existing keystore if it exists to avoid permission issues
-        [ -f $ES_PATH_CONF/elasticsearch.keystore ] && rm -f $ES_PATH_CONF/elasticsearch.keystore
-        
-        # Pre-create the tmp file with correct permissions
-        touch $ES_PATH_CONF/elasticsearch.keystore.tmp
-        chown elasticsearch:elasticsearch $ES_PATH_CONF/elasticsearch.keystore.tmp
-        
-        # Try to create keystore with proper error handling
-        if ! su -c "ES_PATH_CONF=$ES_PATH_CONF ES_JAVA_HOME=/app/data/jdk $ES_HOME/bin/elasticsearch-keystore create" elasticsearch; then
-            echo "ERROR: Failed to create keystore. Checking permissions and trying again..."
-            find $ES_PATH_CONF -type f -exec ls -la {} \;
-            
-            # Try a more aggressive approach if the first attempt failed
-            chmod -R 777 $ES_PATH_CONF
-            if ! su -c "ES_PATH_CONF=$ES_PATH_CONF ES_JAVA_HOME=/app/data/jdk $ES_HOME/bin/elasticsearch-keystore create" elasticsearch; then
-                echo "CRITICAL ERROR: Could not create Elasticsearch keystore after multiple attempts."
-                echo "Current directory permissions:"
-                find /app/data -type d -exec ls -ld {} \;
-                exit 1
-            fi
-        fi
-    fi
-    
    # Add bootstrap password to keystore
    echo "Setting bootstrap password..."
+    
+    # Verify keystore exists before trying to add password
+    if [ ! -f $ES_PATH_CONF/elasticsearch.keystore ]; then
+        echo "ERROR: Keystore not found, cannot add bootstrap password. Creating keystore first..."
+        setup_keystore || {
+            echo "CRITICAL ERROR: Failed to create keystore, cannot proceed."
+            exit 1
+        }
+    fi
+    
+    # Now add the bootstrap password
    if ! printf "%s" "$ELASTIC_PASSWORD" | su -c "ES_PATH_CONF=$ES_PATH_CONF ES_JAVA_HOME=/app/data/jdk $ES_HOME/bin/elasticsearch-keystore add -f -x 'bootstrap.password' --stdin" elasticsearch; then
        echo "ERROR: Failed to add bootstrap password to keystore."
        exit 1
@ -185,6 +169,10 @@ configure_elasticsearch() {
            
        chown elasticsearch:elasticsearch $ES_PATH_CONF/elastic-certificates.p12
        chmod 600 $ES_PATH_CONF/elastic-certificates.p12
+        
+        # Make sure we update the keystore with the correct password after generating certificates
+        echo "Updating keystore with the new certificate password..."
+        setup_keystore
    fi
    
    # Create users file if needed
@ -316,6 +304,47 @@ set_system_limits() {
    fi
 }

+# Add secure settings to the keystore
+setup_keystore() {
+    echo "Setting up Elasticsearch keystore with secure settings..."
+    
+    # Create or recreate the keystore if needed
+    if [ ! -f $ES_PATH_CONF/elasticsearch.keystore ]; then
+        echo "Creating new Elasticsearch keystore..."
+        su -c "ES_PATH_CONF=$ES_PATH_CONF ES_JAVA_HOME=/app/data/jdk $ES_HOME/bin/elasticsearch-keystore create" elasticsearch
+        
+        # Verify keystore was created
+        if [ ! -f $ES_PATH_CONF/elasticsearch.keystore ]; then
+            echo "ERROR: Failed to create keystore!"
+            return 1
+        fi
+    fi
+    
+    # Add the certificate passwords to the keystore (as the elasticsearch user)
+    echo "Adding certificate passwords to keystore..."
+    echo "cloudron" | su -c "ES_PATH_CONF=$ES_PATH_CONF ES_JAVA_HOME=/app/data/jdk $ES_HOME/bin/elasticsearch-keystore add -f xpack.security.transport.ssl.keystore.secure_password --stdin" elasticsearch || {
+        echo "ERROR: Failed to add keystore password to keystore. Will try to recreate keystore."
+        rm -f $ES_PATH_CONF/elasticsearch.keystore
+        su -c "ES_PATH_CONF=$ES_PATH_CONF ES_JAVA_HOME=/app/data/jdk $ES_HOME/bin/elasticsearch-keystore create" elasticsearch
+        echo "cloudron" | su -c "ES_PATH_CONF=$ES_PATH_CONF ES_JAVA_HOME=/app/data/jdk $ES_HOME/bin/elasticsearch-keystore add -f xpack.security.transport.ssl.keystore.secure_password --stdin" elasticsearch || {
+            echo "CRITICAL ERROR: Could not add keystore password to keystore after recreation."
+            return 1
+        }
+    }
+    
+    echo "cloudron" | su -c "ES_PATH_CONF=$ES_PATH_CONF ES_JAVA_HOME=/app/data/jdk $ES_HOME/bin/elasticsearch-keystore add -f xpack.security.transport.ssl.truststore.secure_password --stdin" elasticsearch || {
+        echo "ERROR: Failed to add truststore password to keystore."
+        return 1
+    }
+    
+    # Verify keystore permissions
+    chmod 600 $ES_PATH_CONF/elasticsearch.keystore
+    chown elasticsearch:elasticsearch $ES_PATH_CONF/elasticsearch.keystore
+    
+    echo "✅ Elasticsearch keystore updated with secure settings"
+    return 0
+}
+
 # Configure JVM heap size
 configure_heap() {
    # Calculate optimal heap size (50% of available memory)
@ -347,9 +376,6 @@ start_elasticsearch() {
    ES_START_CMD="$ES_START_CMD -E xpack.security.transport.ssl.verification_mode=certificate"
    ES_START_CMD="$ES_START_CMD -E xpack.security.transport.ssl.keystore.path=elastic-certificates.p12"
    ES_START_CMD="$ES_START_CMD -E xpack.security.transport.ssl.truststore.path=elastic-certificates.p12"
-    # Use "cloudron" as the dummy password for certificates (Elasticsearch doesn't accept empty passwords)
-    ES_START_CMD="$ES_START_CMD -E xpack.security.transport.ssl.keystore.secure_password=cloudron"
-    ES_START_CMD="$ES_START_CMD -E xpack.security.transport.ssl.truststore.secure_password=cloudron"
    ES_START_CMD="$ES_START_CMD -d -p /app/data/run/elasticsearch.pid"
    
    echo "Starting Elasticsearch..."
@ -408,6 +434,7 @@ EOL
 # Main execution flow
 setup_password
 setup_java
+setup_keystore
 configure_elasticsearch
 [ ! -f /app/data/.initialized ] && touch /app/data/.initialized