I'm trying to set up an Elasticsearch cluster using auto-renewing certs with certmonger from our enterprise CA. I'm running into a problem that has been discussed in many threads, where the answer always seems to be some variation of, "Just set up the cluster manually, without using enrollment tokens."
Is there a walkthrough doc anywhere for setting up a cluster manually, without using enrollment tokens?
Error I'm getting when trying to generate an enrollment token:
# /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node Unable to create enrollment token for scope [node] ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration Keystore doesn't contain any PrivateKey entries where the associated certificate is a CA certificate
Forum threads and a bug entry that I've read which all seem to say "if you use an enterprise CA, you'll have to set up your cluster manually" (though most of them are about Kibana, which I haven't gotten to yet):
Creating an enrollment token in Elastic fails due to PrivateKey error - Elastic Stack / Elasticsearch - Discuss the Elastic Stack
Import CA Cert as PrivateKeyEntry to HTTP Keystore - Solve Unable to create enrollment token Error - Elastic Stack / Elasticsearch - Discuss the Elastic Stack
Generating enrolment token for Kibana should not require the CA key · Issue #89017 · elastic/elasticsearch · GitHub
Create enrollment for kibana impossible with certificate Lets Encript - Elastic Stack / Elasticsearch - Discuss the Elastic Stack
Configure TLS production environment with own CA - Elastic Stack / Elasticsearch - Discuss the Elastic Stack
I have also read the doc about generating CSRs, but it doesn't seem to have any mechanism for auto-renewing the certs, so it doesn't solve the problem I'm trying to solve.
In theory all I need is a walkthrough of how to set up a cluster without using enrollment tokens, so it would be great if someone could point me to one. Thanks!