Add nodes to a cluster ES 8.17.1; env RHEL 8.10

latte123 · February 13, 2025, 8:33pm

I built a cluster with two master nodes; two days later, the attempt to add another master node (all on different hosts) failed with error:
./elasticsearch-create-enrollment-token -s node
Unable to create enrollment token for scope [node]
ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration is not configured with a keystore, with exit code 73.

In elasticsearch.yml on both nodes for HTTP SSL I generated node's crt and key with CLI ./bin/elasticsearch-certgen --cert ca/ca.crt --key ca/ca.key --out .zip.

Content of elasticserach.keystore is:
./elasticsearch-keystore list /etc/elasticsearch/certs/elasticsearch.keystore

keystore.seed
xpack.security.http.ssl.keystore.secure_password
xpack.security.transport.ssl.keystore.secure_password
xpack.security.transport.ssl.truststore.secure_password

elasticsearch.yml

# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: CLUSTERNAME
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: NODE1MASTERNAME
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /var/lib/elasticsearch
#
# Path to log files:
#
path.logs: /var/log/elasticsearch
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
network.host: NODE1MASTER_IP
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
discovery.seed_hosts: ["NODE2MASTER_IP:9300"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
#cluster.initial_master_nodes: ["node-1", "node-2"]
cluster.initial_master_nodes: ["NODE1MASTERNAME","NODE2MASTERNAME"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Allow wildcard deletion of indices:
#
#action.destructive_requires_name: false
#lock memory on bootstrap
#bootstrap.memory_lock: true
#----------------------- BEGIN SECURITY AUTO CONFIGURATION -----------------------
#
# The following settings, TLS certificates, and keys have been automatically      
# generated to configure Elasticsearch security features on 05-02-2025 21:58:05
#
# --------------------------------------------------------------------------------

# Enable security features
xpack.security.enabled: true

xpack.security.enrollment.enabled: true
#xpack.security.autoconfiguration.enabled: false
# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: true
#  keystore.path: /etc/elasticsearch/certs/http.p12
#verification_mode: certificate 
  key: /etc/elasticsearch/certs/NODE1MASTERNAME/NODE1MASTERNAME.key
  certificate: /etc/elasticsearch/certs/NODE1NAME/NODE1MASTERNAME.crt
  certificate_authorities: ["/etc/elasticsearch/certs/ca/ca.crt"]
# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
#   verification_mode: none
#   key: /etc/elasticsearch/certs/NODE1MASTERNAME/NODE1MASTERNAME.key
#   certificate: /etc/elasticsearch/certs/NODE1MASTERNAME/NODE1MASTERNAME.crt
#   certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt
  verification_mode: none
  keystore.path: /etc/elasticsearch/certs/transport.p12
  truststore.path: /etc/elasticsearch/certs/transport.p12
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
#
# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0

# Allow other nodes to join the cluster from anywhere
# Connections are encrypted and mutually authenticated
transport.host: 0.0.0.0

#----------------------- END SECURITY AUTO CONFIGURATION -------------------------
#script.painless.regex.enabled: true

stephenb · February 14, 2025, 12:06am

Hi @latte123 Since you have manually configured many settings in the elasticsearch.yml do not use enrollment token method that will not work. enrollment token is only used when you fully use automatic configuration ... which you have not since you set your own setting, which is totally fine.

You should turn this off
xpack.security.enrollment.enabled: true

To add the new node set all the correct setting in the elasticsearch.yml

Make sure discovery.seed_hosts is set so the new node can find the existing nodes

IMPORTANT And since you report that the cluster already formed **take out **
cluster.initial_master_nodes on all the elasticseach.ymls THIS is important

After the cluster has formed, remove the cluster.initial_master_nodes setting from each node’s configuration and never set it again for this cluster. Do not configure this setting on nodes joining an existing cluster. Do not configure this setting on nodes which are restarting. Do not configure this setting when performing a full-cluster restart.

If you leave cluster.initial_master_nodes in place once the cluster has formed then there is a risk that a future misconfiguration may result in bootstrapping a new cluster alongside your existing cluster. It may not be possible to recover from this situation without losing data.

Topic		Replies	Views
Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration is not configured with a keystore Elasticsearch	2	1023	February 4, 2024
How to add new node to Elasticsearch cluster with Https Elasticsearch elastic-stack-security	8	1702	February 13, 2023
Elasticsearch node HTTP layer SSL configuration Keystore doesn't contain any PrivateKey entries where the associated certificate is a CA certificate Elasticsearch elastic-stack-security	5	5592	March 18, 2023
Cannot generate enrollment token Elasticsearch elastic-stack-security	2	579	November 17, 2023
Configure multi node configuration with enrollment token - Elasticsearch 8.0.0 Elasticsearch elastic-stack-security	7	6032	March 22, 2022

Add nodes to a cluster ES 8.17.1; env RHEL 8.10

Related topics