Closing connection Netty4HttpChannel Error

NikoCosmico01 · August 18, 2025, 11:31am

Hi,

I have an ELK on-premise setup deployed with docker (x3 nodes, x1 Kibana, 1x fleet-server).

Recently, I decided to generate self-signed certificated to ensure SSL and HTTPS communications. The only certificate signed by a trusted CA is for Kibana, so that I can easily use HTTPS to access to it.

I’m using the following files:

Self Signed CA
- caBundle.p12
- caCert.pem
- caKey.pem
Node01 (172.18.0.2)
- es01.p12
Node02 (172.18.0.3)
- es02.p12
Node03 (172.18.0.4)
- es03.p12
Fleet Server (172.18.0.6)
- fleet-server.crt
- fleet-server.key
siem_bundle.pem (signed by trusted CA and used for Kibana on 172.18.0.5)

The issue I’m having is the following warning on the Elastic nodes:

"log.level": "WARN", "message":"caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/172.18.0.2:9200, remoteAddress=/10.3.200.7:38404}", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"elasticsearch[es01][transport_worker][T#14]","log.logger":"org.elasticsearch.http.AbstractHttpServerTransport","elasticsearch.cluster.uuid":"H_BQHL-cSi20kBulsPztBQ","elasticsearch.node.id":"BjLdoaB7SkC9hSJoBcgSdg","elasticsearch.node.name":"es01","elasticsearch.cluster.name":"docker-cluster","error.type":"io.netty.handler.codec.DecoderException","error.message":"javax.net.ssl.SSLHandshakeException: (bad_certificate) Received fatal alert: bad_certificate" [...]

This is my elasticsearch.yml of node 01 (hostname: es01)

cluster.name: "docker-cluster"
xpack.ml.max_model_memory_limit: 8GB
network.host: es01
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.client_authentication: required
xpack.security.http.ssl.keystore.path: certNew/es01.p12
xpack.security.http.ssl.truststore.path: certNew/es01.p12
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certNew/es01.p12
xpack.security.transport.ssl.truststore.path: certNew/es01.p12

I checked and the es01.p12 CA fingerprint matches with the caCert.pem.

I also tried to generate the es01 cert specifying the IP address with the following command ./bin/elasticsearch-certutil cert --ca caBundle.p12 –ip 172.18.0.2 –name es01

without solving this issue.

Can you help me in any way?

Thanks.

NikoCosmico01 · August 28, 2025, 8:50am

Nothing?

DavidTurner · August 28, 2025, 12:41pm

The log message just means that the client at that address rejected the server certificate. Elasticsearch doesn’t get to learn why it did that, but a very common reason is that the client is not configured to trust the certificate(s) that ES presents.

To make the warning go away you’ll need to work out what client is making requests from this address and reconfigure it to accept ES’s certificate.

Topic		Replies	Views
Elasticsearch self signed certificate Elasticsearch	1	647	March 26, 2020
Caught exception while handling client http traffic, closing connection Elasticsearch fleet	2	3020	May 21, 2024
SSL error in docker container Elasticsearch elastic-stack-security , docker	1	859	December 18, 2023
Set up basic security for the Elastic Stack plus secured HTTPS traffic Elasticsearch elastic-stack-security	1	555	May 1, 2024
Http client did not trust this server's certificate Elasticsearch	4	9984	December 31, 2017

Closing connection Netty4HttpChannel Error

Related topics