0

I generated a certificate file with certbot. It is placed in /etc/letsencrypt/....

I created a group called elk where I added the elasticsearch user, and I recursively set it as the owning group for /etc/letsencrypt and recursively set the permissions to 770.

When I start elasticsearch via systemctl start elasticsearch.service, it is not able to read the file? Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/letsencrypt/live/<domain>/fullchain.pem" "read")

Why is that?

What strategy would you recommend to be able to use the same certificate for elasticsearch and kibana?

Improve this question
8
  • Have you added the certificate file to the group elk?
    – paladin
    Commented Mar 19, 2024 at 17:44
  • I used the chgrp -R elk /etc/letsencrypt command followed by chmod -R 770 /etc/letsencrypt. Are you referring to something else?
    – Vivere
    Commented Mar 19, 2024 at 17:46
  • 1
    May you please check the group setting for file /etc/letsencrypt/live/<domain>/fullchain.pem ?
    – paladin
    Commented Mar 19, 2024 at 19:37
  • 1
    What's the output of ps -o pid,user,group,supgrp,args -C java and namei -l /etc/letsencrypt/live/<domain>/fullchain.pem
    – Stéphane Chazelas
    Commented Mar 19, 2024 at 21:00
  • 1
    In any case chmod -R 770 doesn't make sense. You don't want to give execute permissions to non-directory files in there and you don't want to give write access to anyone.
    – Stéphane Chazelas
    Commented Mar 19, 2024 at 21:03

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.