Failed to read keystore – How to solve this Elasticsearch error

Opster Team

March-22, Version: 1.7-8.0

Before you begin reading this guide, we recommend you try running the Elasticsearch Error Check-Up which analyzes 2 JSON files to detect many configuration errors.

To easily locate the root cause and resolve this issue try AutoOps for Elasticsearch & OpenSearch. It diagnoses problems by analyzing hundreds of metrics collected by a lightweight agent and offers guidance for resolving them.

Take a self-guided product tour to see for yourself (no registration required).

This guide will help you check for common problems that cause the log ” Failed to read keystore ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.

Log Context

Log “Failed to read keystore”classname  is We extracted the following from Elasticsearch source code for those seeking an in-depth context :

throw new UserException(ExitCodes.DATA_ERROR; "The CA keystore " + ksPath + " contains " + keys.size() + " keys");
 final Map.Entry pair = keys.entrySet().iterator().next();
 return new CertificateTool.CAInfo((X509Certificate) pair.getKey(); (PrivateKey) pair.getValue());
 } catch (IOException | GeneralSecurityException e) {
 throw new ElasticsearchException("Failed to read keystore " + ksPath; e);
 private CertificateTool.CAInfo readPemCA(Path certPath; Path keyPath; Terminal terminal) throws UserException {
 final X509Certificate cert = readCertificate(certPath; terminal);


Watch product tour

Try AutoOps to find & fix Elasticsearch problems

Analyze Your Cluster
Skip to content