yes there is connection between AZs
From the command line I make a ping from EC2 with IP 10.0.0.100/20 to EC2 10.0.16.100/20 and the connectivity is ok.
[ec2-user@ip-10-0-0-100 ~]$ sudo curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200/_cat/nodes
Enter host password for user 'elastic':
10.0.0.100 53 94 0 0.00 0.00 0.00 cdfhilmrstw * elastic-1a
[ec2-user@ip-10-0-0-100 ~]$ sudo ping 10.0.16.100
PING 10.0.16.100 (10.0.16.100) 56(84) bytes of data.
64 bytes from 10.0.16.100: icmp_seq=1 ttl=127 time=0.624 ms
64 bytes from 10.0.16.100: icmp_seq=2 ttl=127 time=0.632 ms
64 bytes from 10.0.16.100: icmp_seq=3 ttl=127 time=0.629 ms
64 bytes from 10.0.16.100: icmp_seq=4 ttl=127 time=0.603 ms
64 bytes from 10.0.16.100: icmp_seq=5 ttl=127 time=0.637 ms
^C
--- 10.0.16.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4170ms
rtt min/avg/max/mdev = 0.603/0.625/0.637/0.011 ms
[ec2-user@ip-10-0-0-100 ~]$
The logs from /var/log/elasticsearch/dev.log where dev is the cluster name
[2023-05-18T08:06:05,010][WARN ][o.e.h.n.Netty4HttpServerTransport] [elastic-1a] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.0.0.100:9200, remoteAddress=/10.0.4.149:38832}
[2023-05-18T08:06:07,508][WARN ][o.e.h.n.Netty4HttpServerTransport] [elastic-1a] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.0.0.100:9200, remoteAddress=/10.0.4.149:59632}
[2023-05-18T08:06:08,928][WARN ][o.e.h.n.Netty4HttpServerTransport] [elastic-1a] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.0.0.100:9200, remoteAddress=/10.0.4.149:59638}
[2023-05-18T08:06:10,011][WARN ][o.e.h.n.Netty4HttpServerTransport] [elastic-1a] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.0.0.100:9200, remoteAddress=/10.0.4.149:59648}
[2023-05-18T08:06:11,332][WARN ][o.e.h.n.Netty4HttpServerTransport] [elastic-1a] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.0.0.100:9200, remoteAddress=/10.0.4.149:59650}
[2023-05-18T08:06:11,349][WARN ][o.e.h.n.Netty4HttpServerTransport] [elastic-1a] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.0.0.100:9200, remoteAddress=/10.0.4.149:59662}
[2023-05-18T08:06:11,349][WARN ][o.e.h.n.Netty4HttpServerTransport] [elastic-1a] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.0.0.100:9200, remoteAddress=/10.0.4.149:59678}
[2023-05-18T08:06:12,511][WARN ][o.e.h.n.Netty4HttpServerTransport] [elastic-1a] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.0.0.100:9200, remoteAddress=/10.0.4.149:59690}
[2023-05-18T08:06:15,009][WARN ][o.e.h.n.Netty4HttpServerTransport] [elastic-1a] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.0.0.100:9200, remoteAddress=/10.0.4.149:59696}
[2023-05-18T08:06:15,785][WARN ][o.e.h.n.Netty4HttpServerTransport] [elastic-1a] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.0.0.100:9200, remoteAddress=/10.0.4.149:59702}
Pinging between nodes does not show there is connectivity. Can you telnet to port 9300 on the other nodes in the cluster from every node and get an appropriate error (am not expecting telnet to succeed due to security, but it should be able to reach the port)?
[2023-05-18T08:55:33,532][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [elastic-1a] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=/10.0.0.100:9300, remoteAddress=/10.0.16.100:42124, profile=default}
Another log [2023-05-18T08:55:33,775][WARN ][o.e.c.s.DiagnosticTrustManager] [elastic-1a] failed to establish trust with server at [<unknown host>]; the server provided a certificate with subject name [CN=ip-10-0-16-100.eu-central-1.compute.internal], fingerprint [13d8fa575d0f2551f0b54375b061aadc26084ced], no keyUsage and no extendedKeyUsage; the certificate is valid between [2023-05-18T08:53:41Z] and [2122-04-24T08:53:41Z] (current time is [2023-05-18T08:55:33.775404267Z], certificate dates are valid); the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate does not have any subject alternative names; the certificate is issued by [CN=Elasticsearch security auto-configuration HTTP CA]; the certificate is signed by (subject [CN=Elasticsearch security auto-configuration HTTP CA] fingerprint [ba3e965eb9a259c3823bb5a9222f1e8055d56596]) which is self-issued; the [CN=Elasticsearch security auto-configuration HTTP CA] certificate is not trusted in this ssl context ([xpack.security.transport.ssl (with trust configuration: StoreTrustConfig{path=certs/transport.p12, password=<non-empty>, type=PKCS12, algorithm=PKIX})]); this ssl context does trust a certificate with subject [CN=Elasticsearch security auto-configuration HTTP CA] but the trusted certificate has fingerprint [4aa66b94e99bf53d5ef73f82d1c3c2e7d6cccc1f] sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
Another log [2023-05-18T08:55:33,778][WARN ][o.e.t.TcpTransport ] [elastic-1a] exception caught on transport layer [Netty4TcpChannel{localAddress=/10.0.0.100:42294, remoteAddress=/10.0.16.100:9300, profile=default}], closing connection io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.