The elasticsearch-setup-passwords command sets passwords for the built-in users by sending user management API requests. If your cluster uses SSL/TLS for the HTTP (REST) interface, the command attempts to establish a connection with the HTTPS protocol. If the connection attempt fails, the command fails.
Elasticsearch is running HTTPS, but the command fails to detect it and returns the following errors:
Cannot connect to elasticsearch node. java.net.SocketException: Unexpected end of file from server ... ERROR: Failed to connect to elasticsearch at http://127.0.0.1:9200/_security/_authenticate?pretty. Is the URL correct and elasticsearch running?
SSL/TLS is configured, but trust cannot be established. The command returns the following errors:
SSL connection to https://127.0.0.1:9200/_security/_authenticate?pretty failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Please check the elasticsearch SSL settings under xpack.security.http.ssl. ... ERROR: Failed to establish SSL connection to elasticsearch at https://127.0.0.1:9200/_security/_authenticate?pretty.
The command fails because hostname verification fails, which results in the following errors:
SSL connection to https://idp.localhost.test:9200/_security/_authenticate?pretty failed: java.security.cert.CertificateException: No subject alternative DNS name matching elasticsearch.example.com found. Please check the elasticsearch SSL settings under xpack.security.http.ssl. ... ERROR: Failed to establish SSL connection to elasticsearch at https://elasticsearch.example.com:9200/_security/_authenticate?pretty.
If your cluster uses TLS/SSL for the HTTP interface but the
elasticsearch-setup-passwordscommand attempts to establish a non-secure connection, use the
--urlcommand option to explicitly specify an HTTPS URL. Alternatively, set the
If the command does not trust the Elasticsearch server, verify that you configured the
xpack.security.http.ssl.certificate_authoritiessetting or the
If hostname verification fails, you can disable this verification by setting
For more information about these settings, see Security settings.