Can't connect node to cluster on another server

Can you confirm that you previously had exactly 1 node, and now you want to add a second node?

If you only had 1 node before, then it's entirely possible that the xpack.security.transport.ssl.* configuration never worked because a single node cluster doesn't ever need to make connections between nodes.
That means, for example, that it's possible that master-node.crt isn't signed by ca.crt. If that's true, then trying to replicate that setup into a new node is going to fail.

However, the good thing if you currently have just one node is that you can start again with transport SSL, and nothing will break (because you don't use it today).

This guide walks you through setting up TLS for internode communication

It should be a matter of:

  1. Create a new CA (bin/elasticsearch-certutil ca)
  2. Create a new certificate+key for your nodes (bin/elasticsearch-certutil cert)
  3. Configure each of your nodes with
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate 
    xpack.security.transport.ssl.client_authentication: required
    xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
    

However, I do recommend that you read the guide (linked above) to understand each of those steps.

1 Like