Can you confirm that you previously had exactly 1 node, and now you want to add a second node?
If you only had 1 node before, then it's entirely possible that the xpack.security.transport.ssl.* configuration never worked because a single node cluster doesn't ever need to make connections between nodes.
That means, for example, that it's possible that master-node.crt isn't signed by ca.crt. If that's true, then trying to replicate that setup into a new node is going to fail.
However, the good thing if you currently have just one node is that you can start again with transport SSL, and nothing will break (because you don't use it today).
This guide walks you through setting up TLS for internode communication
It should be a matter of:
- Create a new CA (
bin/elasticsearch-certutil ca) - Create a new certificate+key for your nodes (
bin/elasticsearch-certutil cert) - Configure each of your nodes with
xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.client_authentication: required xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
However, I do recommend that you read the guide (linked above) to understand each of those steps.