Can't connect node to cluster on another server

First of all, I want to be clear that I looked at several guides and suggested similar questions before opening this post, but none of them worked for our case, so I am a bit desperate right now.

Here is our situation:
The developer who created all this configuration is gone and we don't have a way to reach him. We don't have any password for the certificates or anything, in case that is needed.

Last week, our Elasticsearch stopped adding new records as it reached the state where the disk was almost full. We changed the config to get some time and now is working as expected. However, we want to add a new server with elasticsearch and form a cluster as we don't want to resize the disk because we don't want to lose anything.

Here is the configuration for the main server /etc/elasticsearch/elasticsearch.yml

cluster.name: goulue
node.name: master-node
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.max_content_length: 100mb
discovery.seed_hosts: ["127.0.0.1", "ip_node"]
xpack.license.self_generated.type: "basic"
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
#xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.certificate: "certs/master-node/master-node.crt"
xpack.security.transport.ssl.certificate_authorities: "certs/ca/ca.crt"
#xpack.security.transport.ssl.truststore.path: "certs/elastic-certificates.p12"

xpack.security.http.ssl.enabled: true
#xpack.security.http.ssl.keystore.path: "certs/elastic-certificates.p12"
#xpack.security.http.ssl.truststore.path: "certs/elastic-certificates.p12"
xpack.security.http.ssl.certificate: certs/master-node/fullchain.crt
xpack.security.http.ssl.key: certs/master-node/privkey.key
#xpack.security.http.ssl.certificate_authorities: certs/ca/ca.crt
#

As I said, we created another server with the same elasticsearch version (7.6.2)

cluster.name: goulue
node.name: ico-elastic-node-2
node.data: true
node.master: false
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
discovery.zen.ping.unicast.hosts: ["ip_node_1"]
cluster.initial_master_nodes: ["master-node"]
xpack.security.transport.ssl.enabled: true
#xpack.security.transport.ssl.verification_mode: certificate
#xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.certificate: master-node.crt
xpack.security.transport.ssl.certificate_authorities: ca.crt

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.certificate: fullchain.crt
xpack.security.http.ssl.key: privkey.key

I took a look at the logs and here is what I found:
Node 2

[ico-elastic-node-2] master not discovered yet: have discovered [{node-2}{G5SfrEv0RxaxmYf8urIFtQ}{XpfNNouCQx2HmYfw2AvoQw}{ip_server_2}{ip_server_29300}{dil}{ml.machine_memory=12558602240, xpack.installed=true, ml.max_open_jobs=20}]; discovery will continue using [ip_server_1, 127.0.0.1:9300] from hosts providers and [] from last-known cluster state; node term 0, last-accepted version 0 in term 0`

And the master:

    [master-node] exception caught on transport layer [Netty4TcpChannel{localAddress=/ip:9300, remoteAddress=/ip:36660}], closing connection
    io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: No available authentication scheme

Any suggestion? I'm desperate here because our master is yellow and we need to fix this ASAP.

The most important thing for us is to get the master node to green again and with enough space to make it work properly. If there is anything else we can do to avoid data lost without creating the cluster, please let me know.

Thank you for your time.

If you need urgent help, please reach out to your support engineer. This forum is best effort and there is no way to get dedicated help by the community here.

There definitely are more settings in this file, can you share the entire thing ? For instance there is no way to enable TLS ( i.e. xpack.security.transport.ssl.enabled: true ) for http and transport layer without actually configuring TLS.

In general, you'd need to configure transport TLS in your new node so that it can join the cluster. You have two options:

1 Like

Hey ikakavas. Sorry I didnt put the whole file. Here you can find it for the master node

cluster.name: goulue
node.name: master-node
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.max_content_length: 100mb
discovery.seed_hosts: ["95.179.139.6", "127.0.0.1", "95.179.154.158"]
xpack.license.self_generated.type: "basic"
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
#xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.certificate: "certs/master-node/master-node.crt"
xpack.security.transport.ssl.certificate_authorities: "certs/ca/ca.crt"
#xpack.security.transport.ssl.truststore.path: "certs/elastic-certificates.p12"

xpack.security.http.ssl.enabled: true
#xpack.security.http.ssl.keystore.path: "certs/elastic-certificates.p12"
#xpack.security.http.ssl.truststore.path: "certs/elastic-certificates.p12"
xpack.security.http.ssl.certificate: certs/master-node/fullchain.crt
xpack.security.http.ssl.key: certs/master-node/privkey.key
#xpack.security.http.ssl.certificate_authorities: certs/ca/ca.crt
#

here is the whole config for the node 2

cluster.name: goulue
node.name: ico-elastic-node-2
node.data: true
node.master: false
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
discovery.zen.ping.unicast.hosts: ["95.179.140.41"]
cluster.initial_master_nodes: ["master-node"]
xpack.security.transport.ssl.enabled: true
#xpack.security.transport.ssl.verification_mode: certificate
#xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.certificate: master-node.crt
xpack.security.transport.ssl.certificate_authorities: ca.crt

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.certificate: fullchain.crt
xpack.security.http.ssl.key: privkey.key

The developer who created all this configuration is gone and we don't have a way to reach him. We don't have any password for the certificates or anything, in case that is needed.

If you are able to run elasticsearch-keystore show on your existing nodes, you can recover the passwords.

The secure setting names depend if you are using keystores like PKCS12 or JKS, or if you are using keys+crts in PEM files. From your full config, it looks like you are using keystores, so the first two commands would apply.

If using keystores:

bin/elasticsearch-keystore show xpack.security.http.ssl.keystore.secure_password
bin/elasticsearch-keystore show xpack.security.transport.ssl.keystore.secure_password

If using key+crt in PEM files:

bin/elasticsearch-keystore show xpack.security.http.ssl.secure_key_passphrase
bin/elasticsearch-keystore show xpack.security.transport.ssl.secure_key_passphrase

It looks like the command show doesnt exist for this

Sorry about that, show password was added to elasticsearch-keystore in 7.16.0. I see you are on 7.6.2.

Infra/Settings

  • Add show command to the keystore CLI #76693 (issue: #57261)

I did an experiment with 7.6.2 and 7.17.4 to confirm I can use 7.17.4 to show password.

I downloaded both zip archives on Linux, ran create and add in 7.6.2, copied elasticsearch.keystore to the 7.17.4 config directory, and successfully ran show to recover a password. You may be able to use this workaround to recover your passwords in elasticsearch 7.6.2.

cd ~/Downloads
tar xfz elasticsearch-7.6.2-linux-x86_64.tar.gz
tar xfz elasticsearch-7.17.4-linux-x86_64.tar.gz
cd ~/Downloads/elasticsearch-7.6.2
bin/elasticsearch-keystore create
bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
cp ~/Downloads/elasticsearch-7.6.2/config/elasticsearch.keystore ~/Downloads/elasticsearch-7.17.4/config/elasticsearch.keystore
cd ~/Downloads/elasticsearch-7.17.4
bin/elasticsearch-keystore show xpack.security.http.ssl.keystore.secure_password
password1

elasticsearch 7.6 is EOL and no longer supported. Please upgrade ASAP.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns :elasticheart: )

Can you confirm that you previously had exactly 1 node, and now you want to add a second node?

If you only had 1 node before, then it's entirely possible that the xpack.security.transport.ssl.* configuration never worked because a single node cluster doesn't ever need to make connections between nodes.
That means, for example, that it's possible that master-node.crt isn't signed by ca.crt. If that's true, then trying to replicate that setup into a new node is going to fail.

However, the good thing if you currently have just one node is that you can start again with transport SSL, and nothing will break (because you don't use it today).

This guide walks you through setting up TLS for internode communication

It should be a matter of:

  1. Create a new CA (bin/elasticsearch-certutil ca)
  2. Create a new certificate+key for your nodes (bin/elasticsearch-certutil cert)
  3. Configure each of your nodes with
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate 
    xpack.security.transport.ssl.client_authentication: required
    xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
    

However, I do recommend that you read the guide (linked above) to understand each of those steps.

1 Like

I can confirm that we didn't have any node previously.

After some tweaking, I discovered that after disabling the security on the master, the node is still unable to join the cluster, so something else should be happening here.

This is the error I get on the node-2

 master not discovered yet: have discovered [{ico-elastic-node-2}{G5SfrEv0RxaxmYf8urIFtQ}{VNB1gQ_WTDyQnDxNvC2Y0A}{95.179.154.158}{95.179.154.158:9300}{dil}{ml.machine_memory=12558602240, xpack.installed=true, ml.max_open_jobs=20}]; discovery will continue using [95.179.140.41:9200] from hosts providers and [] from last-known cluster state; node term 74, last-accepted version 0 in term 0

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.