Can't setup password for Elasticsearch cluster with multiple master nodes

avinash9999 · September 16, 2019, 3:04pm

Not able to setup password for Elasticsearch cluster with 3 (master + data) nodes.

I took advice from various post of many Elasticsearch Engineers to create cluster with 3 minimum nodes so I have create my cluster with 3 nodes with these configuration --

node 1

cluster.name: elasticsearch
node.name: server1
node.master: true
node.data: true
discovery.zen.ping.unicast.hosts: ["ip_of_server1","ip_of_server2","ip_of_server3"]
network.host: ip_of_server1
discovery.zen.minimum_master_nodes: 2

node 2

cluster.name: elasticsearch
node.name: server2
node.master: true
node.data: true
discovery.zen.ping.unicast.hosts: ["ip_of_server1","ip_of_server2","ip_of_server3"]
network.host: ip_of_server1
discovery.zen.minimum_master_nodes: 2

node 3

cluster.name: elasticsearch
node.name: server3
node.master: true
node.data: true
discovery.zen.ping.unicast.hosts: ["ip_of_server1","ip_of_server2","ip_of_server3"]
network.host: ip_of_server1
discovery.zen.minimum_master_nodes: 2

I have created certificates on all server--

bin/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass ""

I have also added these configuration on all 3 nodes yml--

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

After all of these I am using this command --

bin/elasticsearch-setup-passwords auto --verbose

But getting the following error --

Trying user password change call http://********:9200/_security/user/apm_system/_password?pretty
{
"error" : {
"root_cause" : [
{
"type" : "status_exception",
"reason" : "Cluster state has not been recovered yet, cannot write to the [null] index"
}
],
"type" : "status_exception",
"reason" : "Cluster state has not been recovered yet, cannot write to the [null] index"
},
"status" : 503
}

Unexpected response code [503] from calling PUT http://*********:9200/_security/user/apm_system/_password?pretty
Cause: Cluster state has not been recovered yet, cannot write to the [null] index

Plese help, Thanks in advance!!

**Apart from Setting password my cluster is working fine handling failover

elasticforme · September 24, 2019, 9:22pm

what is the output of this

curl -XGET hostname:9200/_cluster/health?pretty

curl -XGET -u username hostname:9200/_cluster/health?pretty

TimV · September 25, 2019, 3:23am

This is where you have made a mistake.
If you generate a separate certificate like this on each server, then there is no relationship between those certificates and they nodes will not trust one another.

You need to generate a single CA for your cluster first, and then use that to generate certificates that are all issued by that one CA.
See Configure TLS | Elasticsearch Guide [8.11] | Elastic

system · October 23, 2019, 3:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.