Creating an enrollment token in Elastic fails due to PrivateKey error

I have created a three nodes elastic cluster, with two being master nodes.
I have created CS, CERT and http.p12 files manually, all placed in their respective machines and when I run elastic, everything boots successfully and the members find each other and join cluster without any error.
But when I attempt to create an enrollment for kibana using the following command:

sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana --url "https://IP_ADDRESS9200"

It shows the following error:


ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration Keystore doesn't contain any PrivateKey entries where the associated certificate is a CA certificate```

Cannot understand why. The password are correctly set in keystore and nodes do not show any error.

I do not know the answer to ytour question, but would like to point out that having a cluster with 2 master eligible nodes is a bad idea as it does not give any high availability, which I suspect is what you are looking to achieve. Instead make all 3 nodes master eligible so that you are able to continue operating even if one master eligible node goes down.

Thanks for the response
But this is not the concern of the question.

The enrollment process is unfortunately designed to work only with the TLS configuration that happens automatically on startup and not with custom user configurations.

You can still use the UI configuration in Kibana without the enrollment token, just click on the “Configure manually” button on that screen. Hope this helps !

FWIW, this issue is tracked at Generating enrolment token for Kibana should not require the CA key · Issue #89017 · elastic/elasticsearch · GitHub

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.