Hi ! Using Elastic 8.6.0 here
I started over a clean installation of Elastic and immediatly tried to overwrite the self-generate certificate of Elastic with my organization certificate (which is a certificate generate by an authority). To do so, I went over these steps:
- uploaded my p12 on the elastic server
- replace http.p12 and transport.p12 with my organization's p12 in elasticsearch.yml
- overwrite all three parameters in the keystore :
sudo -u elasticsearch bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password sudo -u elasticsearch bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password sudo -u elasticsearch bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
with my p12 password.
Yet, my elastic won't start because it doesn't look to be trust by the keystore:
[2023-01-25T15:09:06,872][ERROR][o.e.b.Elasticsearch ] [elastic-server] fatal exception while booting Elasticsearch org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - the truststore [/etc/elasticsearch/certs/organization.p12] does not contain any trusted certificate entries
or am I missing a point ?
I read the elasticsearch-keystore documentation to have a clue about where or how to add a trusted certificate but I haven't found anything. All the topics read here since to be outdated or not applying to my case.
Does anyone have anything to put me on the way ?
EDIT: I tried to use the /usr/share/elasticsearch/jdk/bin/keytool to import my crt to elasticsearch.keystore but end up with an exception:
keytool error: java.security.KeyStoreException: Unrecognized keystore format. Please load it with a specified type
and then I'm lost.