Cant create enrollment token with own certificates


I'm trying to run Elasticsearch with our own CA. Key and Cert are provide by our PKI-Team.

Changes in elasticsearch.yml:
  enabled: true
  keystore.path: certs/<keystore>.jks
  enabled: true
  verification_mode: certificate
  keystore.path: certs/<keystore>.jks
  truststore.path: certs/<keystore>.jks

After change config, i have run:

/usr/share/elasticsearch/bin/elasticsearch-keystore add
/usr/share/elasticsearch/bin/elasticsearch-keystore add
/usr/share/elasticsearch/bin/elasticsearch-keystore add

systemctl restart elasticsearch.service

curl --cacert <chainfile -u elastic 'https://<name>:9200/_cat/nodes?v'

Enter host password for user 'elastic':
ip             heap.percent ram.percent cpu load_1m load_5m load_15m node.role   master name
<ip>            3          75   0    0.00    0.00     0.00 cdfhilmrstw *      <name>

If I want to generate a registration token with following command:

/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node --url https://<name>:9200

i get the error:

ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration Keystore doesn't contain any PrivateKey entries where the associated certificate is a CA certificate

Documentation says:

elasticsearch-create-enrollment-token can only be used with Elasticsearch clusters that have been auto-configured for security.

How can i generate an enrollment token with our own certificates?

You can’t, but you don’t have to . You can very well configure your nodes manually by following the documentation and using your team provided keys/certificates

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.