Hi
Elastic 6.8.0
Centos 7.6 (64-bit)
I have 2 node elastic cluster in my sandbox.
I created .p12 file myself with company certificates.
openssl pkcs12 -export -in company_domain.cer -inkey company_domain.key -name "elastic" -out mytest.p12
Then Imported trusted certificate (ca-pem.cer) via Keystore Explorer.
Copied mytest.p12 to both nodes.
Added into elasticsearch.yml file:
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: full
xpack.security.transport.ssl.keystore.path: certs/mytest.p12
xpack.security.transport.ssl.truststore.path: certs/mytest.p12
Started elasticsearch Node1, all good, cluster in yellow state.
Started elasticsearch Node2, all good, cluster in green state.
Then
Deleted previous rows, and added these instead into elasticsearch.yml file (bear in mind that these are the exact same certificates and keys, that previously worked just fine):
Copied company_domain.key, company_domain.cer and ca-pem.cer to both nodes.
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: full
xpack.security.transport.ssl.key: certs/company_domain.key
xpack.security.transport.ssl.certificate: certs/company_domain.cer
xpack.security.transport.ssl.certificate_authorities: certs/ca-pem.cer
Started elasticsearch Node1, all good, cluster in yellow state.
Started elasticsearch Node2, and I get:
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
(cluster stays in yellow state and nodes will not communicate with each other)
...
[2019-05-24T11:34:52,173][INFO ][o.e.n.Node ] [dev-dc2-rk] initialized
[2019-05-24T11:34:52,173][INFO ][o.e.n.Node ] [dev-dc2-rk] starting ...
[2019-05-24T11:34:52,280][INFO ][o.e.t.TransportService ] [dev-dc2-rk] publish_address {10.61.2.18:9300}, bound_addresses {127.0.0.1:9300}, {10.61.2.18:9300}
[2019-05-24T11:34:52,311][INFO ][o.e.b.BootstrapChecks ] [dev-dc2-rk] bound or publishing to a non-loopback address, enforcing bootstrap checks
[2019-05-24T11:34:52,657][WARN ][o.e.t.OutboundHandler ] [dev-dc2-rk] send message failed [channel: Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:55656, remoteAddress=dev-dc1-rk.just.sise/10.51.2.18:9300}]
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1615) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1781) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1070) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:896) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_212]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:295) ~[netty-handler-4.1.32.Final.jar:4.1.32.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1301) [netty-handler-4.1.32.Final.jar:4.1.32.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1203) [netty-handler-4.1.32.Final.jar:4.1.32.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1247) [netty-handler-4.1.32.Final.jar:4.1.32.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) [netty-codec-4.1.32.Final.jar:4.1.32.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) [netty-codec-4.1.32.Final.jar:4.1.32.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) [netty-codec-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:656) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:556) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:510) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:470) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:909) [netty-common-4.1.32.Final.jar:4.1.32.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_212]
[2019-05-24T11:34:52,666][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [dev-dc2-rk] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:55656, remoteAddress=dev-dc1-rk.just.sise/10.51.2.18:9300}
[2019-05-24T11:34:52,667][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [dev-dc2-rk] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:55656, remoteAddress=dev-dc1-rk.just.sise/10.51.2.18:9300}
[2019-05-24T11:34:53,423][WARN ][o.e.t.OutboundHandler ] [dev-dc2-rk] send message failed [channel: Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:55658, remoteAddress=dev-dc1-
...
This is very strange. I do not understand why these files won't work. Only .p12 seems to work.