Hi,
I'm getting below error when I tried to enabling transport ssl.
Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication at sun.security.validator.EndEntityChecker.checkTLSClient(EndEntityChecker.java:238) ~[?:?] at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:145) ~[?:?] at sun.security.validator.Validator.validate(Validator.java:274) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) ~[?:?] at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1970) ~[?:?] at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232) ~[?:?] at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?] at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:?] at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:?] at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_202] at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:?] at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1457) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final] at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1365) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final] at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final] at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final] at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]
client did not trust this server's certificate, closing connection NettyTcpChannel{localAddress=0.0.0.0/0.0.0.0:41990, remoteAddress=/10.x.x.x:9300
Config file: elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: full
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/elastic2.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elastic2.cer
xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/certs/chain.cer" ]
Commands used to generate the certificate:
elasticsearch-certutil csr -in config/instance.yml
I signed the certificates using origanisation CA.
Please help me in getting this issue resolved.