Elastic 6.1 Internode communication error: SSL handshake exception

Aby · February 28, 2018, 5:48pm

I have a 3 node cluster with 1 master and 2 data nodes.

SSL/TSL has been setup by getting organization signed certificate.

When i seperate the nodes within the cluster by assigning different cluster names and starting the elastic search. ES runs fine.

Elasticsearch.yml file:

xpack.security.enabled: true
xpack.security.audit.enabled: true
xpack:
security:
authc:
realms:
ldap3:
type: ldap
url: ""
bind_dn: "********************"
bind_password: sdf
user_search:
base_dn: "DC=****,DC=net"
attribute: CN

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
#xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/bin/x-pack/elastic-certificates.p12
#xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/bin/x-pack/elastic-certificates.p12

xpack.ssl.key: /usr/share/elasticsearch/bin/x-pack/certificate.demo.key
xpack.ssl.certificate: /usr/share/elasticsearch/bin/x-pack/certificate.crt
xpack.ssl.certificate_authorities: [ "/usr/share/elasticsearch/bin/x-pack/certificate_ca.crt" ]

xpack.security.http.ssl.enabled: true

But when i rejoin the nodes with the same cluster name i get the attached

error:

TimV · February 28, 2018, 6:39pm

Please make the effort to format your post to be as readable as possible - in particular, please provide log files as text, formatted as a code block (the </> button), rather than images.

Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow content that is locked up in images.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.

Thanks.

TimV · February 28, 2018, 6:41pm

It looks like that CA does not provide the correct trust path for the certificate you are using.

How did you obtain that CA?

Aby · March 2, 2018, 10:17am

Thanks I took a note..I believe it recommended the exceeding characters to be cut short.

Ok, to answer you question, I used OpenSSL to generate a CSR with a key. Passed on the CSR file to my trusted certificate admin who then created a CA.

i manually then converted the .cer file provided to .crt format and used it to set up the SSL/TLS config in elasticsearch.yml file.

TimV · March 3, 2018, 7:31pm

It may just be an issue with terminology, but that doesn't quite make sense.
The "CA" is the certficate for your trusted certicate admin they shouldn't be creating a new one for you.

What you need is for the certificate_ca.crt to be the CA that generated+signed your certificate.crt file. It doesn't look like that is the case here (based on the error message).

Aby · March 5, 2018, 10:01am

Apologies my statement was incorrect!!! Yes you are right. certificate_ca.crt is the CA that was used to generate and sign the certificate.crt.

CSR file was generated from my end for each node and sent to the trusted admin who used the certificate_CA.crt to sign and generate certificate.crt.

system · April 2, 2018, 10:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.