Hey,
I'm trying to run Elasticsearch with our own CA. Key and Cert are provide by our PKI-Team.
Changes in elasticsearch.yml:
network.host: 0.0.0.0
xpack.security.http.ssl:
enabled: true
keystore.path: certs/<keystore>.jks
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/<keystore>.jks
truststore.path: certs/<keystore>.jks
After change config, i have run:
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
systemctl restart elasticsearch.service
curl --cacert <chainfile -u elastic 'https://<name>:9200/_cat/nodes?v'
Enter host password for user 'elastic':
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
<ip> 3 75 0 0.00 0.00 0.00 cdfhilmrstw * <name>
If I want to generate a registration token with following command:
/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node --url https://<name>:9200
i get the error:
ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration Keystore doesn't contain any PrivateKey entries where the associated certificate is a CA certificate
Documentation says:
elasticsearch-create-enrollment-token can only be used with Elasticsearch clusters that have been auto-configured for security.
How can i generate an enrollment token with our own certificates?