puppetlabs
Keystore is not created with java 22 (password needed)
Describe the Bug
Running the latest elasticsearch module with elasticsearch 8.15.1 on Rocky 9 throws error:
Error: Execution of 'keytool -importkeystore -srcstoretype PKCS12 -destkeystore /etc/elasticsearch/elasticsearch.ks -srckeystore /tmp/elasticsearch_node.20241023-51377-1njhkrb -alias elasticsearch_node' returned 1: Importing keystore /tmp/elasticsearch_node.20241023-51377-1njhkrb to /etc/elasticsearch/elasticsearch.ks...
Enter destination keystore password: Enter source keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in the srckeystore*
* has NOT been verified! In order to verify its integrity, *
* you must provide the srckeystore password. *
***************** WARNING WARNING WARNING *****************
Enter key password for <elasticsearch_node>Enter key password for <elasticsearch_node>Enter key password for <elasticsearch_node>keytool error: java.lang.Exception: Too many failures - try later
Error: /Stage[main]/Elasticsearch::Config/Java_ks[elasticsearch_node]/ensure: change from 'absent' to 'present' failed: Execution of 'keytool -importkeystore -srcstoretype PKCS12 -destkeystore /etc/elasticsearch/elasticsearch.ks -srckeystore /tmp/elasticsearch_node.20241023-51377-1njhkrb -alias elasticsearch_node' returned 1: Importing keystore /tmp/elasticsearch_node.20241023-51377-1njhkrb to /etc/elasticsearch/elasticsearch.ks...
Enter destination keystore password: Enter source keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in the srckeystore*
* has NOT been verified! In order to verify its integrity, *
* you must provide the srckeystore password. *
***************** WARNING WARNING WARNING *****************
Enter key password for <elasticsearch_node>Enter key password for <elasticsearch_node>Enter key password for <elasticsearch_node>keytool error: java.lang.Exception: Too many failures - try later (corrective)
from elasticsearch module:
# Trust CA Certificate
java_ks { 'elasticsearch_ca':
ensure => present,
certificate => $elasticsearch::ca_certificate,
target => $_keystore_path,
password => $elasticsearch::keystore_password,
trustcacerts => true,
}
# Load node certificate and private key
java_ks { 'elasticsearch_node':
ensure => present,
certificate => $elasticsearch::certificate,
private_key => $elasticsearch::private_key,
private_key_type => $elasticsearch::private_key_type,
target => $_keystore_path,
password => $elasticsearch::keystore_password,
}
The password is not empty in both cases.
Java version used in elasticsearch:
/usr/share/elasticsearch/jdk/bin/java -version
openjdk version "22.0.1" 2024-04-16
OpenJDK Runtime Environment (build 22.0.1+8-16)
OpenJDK 64-Bit Server VM (build 22.0.1+8-16, mixed mode, sharing)
This is probably a combination of Java and operation system versions, the same module used on elasticsearch 7.17 works properly.
Expected Behavior
proper keystore should be created.
Steps to Reproduce
I have included code from elasticsearch module.
Environment
- Java version 22.0.1
- Platform: Rocky 9.5
- Puppet version: 7.33.0
Additional Context
When I run commands from above manually (outside puppet run), the keystore is created but I have to provide the password manually on every step.
I've investigated this more. The problem is with openssl bundled with puppet agent which creates intermediate pkcs12 storage that can't be read by newer java keytool. This is related to https://github.com/openssl/openssl/pull/12540
The working solution for me is to replace
https://github.com/puppetlabs/puppetlabs-java_ks/blob/main/lib/puppet/provider/java_ks/keytool.rb#L33
pkcs12 = OpenSSL::PKCS12.create(password, @resource[:name], pkey, x509_cert, chain_certs)
to
pkcs12 = OpenSSL::PKCS12.create(password, @resource[:name], pkey, x509_cert, chain_certs, "AES-256-CBC", "AES-256-CBC")
AES-256-CBC is the default for openssl 3.*. Unfortunately, there's no easy way to determine which version of keytool is used because keytool doesn't report the version by itself. And I don't know how back this change is compatible. Maybe this should be parametrized?
