Configure multi node configuration with enrollment token - Elasticsearch 8.0.0

hi team,

i am trying to install Elasticsearch 8.0.0 and form a multi node cluster, but using enrollment token , the other node is not accepting and joining the cluster. the error i faced is
it does not support multi node cluster or it is missing some configuration below file.
as of now i am planning to use default self signed certificate for testing, but will use intermediate ca for prod

Elasticsearch.yml

cluster.name : xxxxxxx
node name: ${HOSTNAME}
network.host:  xx.xx.xx.xx
discovery.seed_hosts: ["elastic01","elastic02","elastic03"]
cluster.initial_master_nodes: ["elastic01","elastic02","elastic03"]
# using default certificate setting created during installation 
node.roles: [ data, master, ingest ]
# Enable security features
xpack.security.enabled: true

xpack.security.enrollment.enabled: true

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p1

the error i faced is
it does not support multi node cluster or it is missing some configuration below file.

This is not an error that elasticsearch would throw. Please share the exact way you try to start the second node and have it join the cluster, along with the exact error you are getting, so that we can help you further

hi @ikakavas ,

i need to form 5 node cluster, stuck with adding 2nd node.
also while adding new node , the certs, keystore and sometimes the Elasticsearch.yml file is deleted.

steps i followed :-

  1. i started the first node with the above configuration yml file.
  2. created the enrollment token in the first node.
  3. in the second node, use the reconfigure command as below
    /usr/share/Elasticsearch/bin/Elasticsearch-reconfigure-node --enrollment-token <enrollment-token from 1st node>
  4. faced issue as below :-

This node will be reconfigured to join an existing cluster, using the enrollment token that you provided.
This operation will overwrite the existing configuration. Specifically:

  • Security auto configuration will be removed from Elasticsearch.yml
  • The [certs] config directory will be removed
  • Security auto configuration related secure settings will be removed from the Elasticsearch.keystore
    Do you want to continue with the reconfiguration process [y/N]y

[update]
since each node use different certificates not signed by same ca ,to resolve this , i created my pem certificates for all the nodes with cert util , but faced below error now ,
(note I don't have password set for http and transport private key and for ca)


ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration is not configured with a keystore

I’m assuming you are installing elasticsearch with the DEB/RPM package. Not sure if that’s what you are trying to do but You can’t install multiple nodes on the same machine with the package installation, you need to look into using the archives or docker. If you want a 5 node cluster, installed with DEB/RPM, then you need 5 different hosts

The second node needs to be on another machine. On that second machine, after installation, and before you touch anything or start elasticsearch, you should run

/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <enrollment-token from 1st node>

What happens when you do that ? You shared the initial output of the command but not what happens after that. The tool would configure the second node to join the cluster and then you would just have to start elasticsearch.

also while adding new node , the certs, keystore and sometimes the Elasticsearch.yml file is deleted.

Yes we need to overwrite the configuration that happens during installation, we point that out when you run the tool :

This will overwrite the existing configuration. Specifically:

  • Security auto configuration will be removed from Elasticsearch.yml
  • The [certs] config directory will be removed
  • Security auto configuration related secure settings will be removed from the Elasticsearch.keystore

since each node use different certificates not signed by same ca ,to resolve this , i created my pem certificates for all the nodes with cert util , but faced below error now ,

The enrollment process is supported and designed to work only with the TLS autoconfiguration that is performed by elasticsearch, so it won’t work with the certificates you have created.

@ikakavas

Thanks I was able to form the cluster with the auto TLS configured. However need to add the cluster name same as 1st node in all the nodes.

My question is I need to add kibana in one of the elast ic node as I generate the token and add it, it shows it is already configured. So what should I do to add kibana in one of these nodes, since the enrollment token command is same.?

Another doubt is if want my TLS and http certificates signed by org ca do we still need enrollment token ?
Please point out where I can find this.

Also as of 8.0.0 , p12 is the default certificate recommeded, do we still support pem ? In both the cases do we still need enrolment token.

Please share exactly what you do and exactly what the error is. It is really hard for us to help you otherwise. For what is worth, the docs are here : Install Kibana with Debian package | Kibana Guide [8.11] | Elastic

No, you can still configure security features as you would in previous versions. The enrollment flow is an additional way, it doesn’t replace any existing configuration option. Our docs are here Manually configure security | Elasticsearch Guide [8.11] | Elastic

Yes, PEM encoded keys and certificates are still supported

ok thanks @ikakavas. i think i was confused where to paste the enrollment token for kibana. now it is up and running.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.