I generated a PEM certificate for my Elasticsearch however, I am getting an error that it cannot read configured PEM certificate due to a permissions issue, however, I verified the permissions and it should have read/write/execute access.
Here is the error in journalctl that happens when I attempt to start Elasticsearch & the permissions assigned to the file.
[root@elastichost elasticsearch]# journalctl --unit elasticsearch | tail -n 100 | grep "failed to load SSL"
Mar 12 20:12:04 elastichost.internal systemd-entrypoint[27881]: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured PEM certificate [/etc/elasticesearch/elastic.<removed-domain>.cer] because access to read the file is blocked; SSL resources should be placed in the [/etc/elasticsearch] directory
Mar 12 20:28:54 elastichost.internal systemd-entrypoint[28299]: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured PEM certificate [/etc/elasticesearch/elastic.<removed-domain>.cer] because access to read the file is blocked; SSL resources should be placed in the [/etc/elasticsearch] directory
[root@elastichost elasticsearch]# ls -ld $PWD/* | grep 'elastic\.'
-rwxrwxrwx 1 root elasticsearch 2289 Mar 12 20:05 /etc/elasticsearch/elastic.<removed-domain>.cer
-rwxrwxrwx 1 root elasticsearch 1675 Mar 12 20:05 /etc/elasticsearch/elastic.<removed-domain>.key
I have validated the certificate is in PEM format and not locked. Is there anything else I need to validate?
I have also attempted re-generating the certificate through my CA, and generating a new self-signed certificate via openSSL to verify the issue is not with the certificate itself.