Hello good morning!
I am trying to create an elastic cluster in version 8.10.3 but when starting the coordinator role I get the following error:
[ithrtc3aen1elk1-coordinator-1] failed to establish trust with server at [<unknown host>]; the server provided a certificate with subject name [CN=Elastic Certificate Tool Autogenerated CA], fingerprint [aa90cab2606f05f43fcd1ef5ccdc012f8957dc28], no keyUsage and no extendedKeyUsage; the certificate is valid between [2019-09-04T22:17:11Z] and [2022-09-03T22:17:11Z] (current time is [2023-10-24T17:42:40.782165681Z], ** certificate has expired ); the session uses cipher suite [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] and protocol [TLSv1.2]; the certificate does not have any subject alternative names; the certificate is self-issued; the [CN=Elastic Certificate Tool Autogenerated CA] certificate is not trusted in this ssl context ([xpack.security.transport.ssl (with trust configuration: StoreTrustConfig{path=/home/elk/new_cluster/elasticsearch-8.10.3/configCoordinator1 /elastic-certificates.p12, password=<non-empty>, type=PKCS12, algorithm=PKIX})]); this ssl context does trust a certificate with subject [CN=Elastic Certificate Tool Autogenerated CA] but the trusted certificate has fingerprint [6d4a7492377c7f2d81a988422606f6dfa8854af7]sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:318)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:267)
at java.base/sun.security.validator.Validator.validate(Validator.java:256)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:284)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
See logs for more details.
The configuration of the coordinator role is as follows:
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
# Before you set out to tweak and tune the configuration, make sure you
# understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: oym-cluster-new
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: ithrtc3aen1elk1-coordinator-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /elasticsearch/elastic-8.10.3/dataCoordinator1
#
# Path to log files:
#
path.logs: /elasticsearch/elastic-8.10.3/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: 10.119.131.8
#
# Set a custom port for HTTP:
#
http.port: 9270
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when new node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.zen.ping.unicast.hosts: ["10.119.131.8", "10.119.131.10", "10.119.131.12"]
discovery.seed_hosts: ["10.119.131.8", "10.119.131.10", "10.119.131.12"]
#
# Set a custom port for Transport:
#
#transport.port: 9301 - 9400
#
# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
#
#discovery.zen.minimum_master_nodes: 2
cluster.initial_master_nodes: ["ithrtc3aen1elk1-master-1","ithrtc3aen1elk2-master-1","ithrtc3aen1elk3-master-1"]
#
# For more information, consult the zen discovery module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
#
xpack.ml.enabled: true
node.attr.rack_id: elk1
cluster.routing.allocation.awareness.attributes: rack_id
xpack.monitoring.collection.enabled: false
xpack.security.enabled: true
xpack.security.http.ssl.enabled: false
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /home/elk/new_cluster/elasticsearch-8.10.3/configCoordinator1/elastic-certificates.p12
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.truststore.path: /home/elk/new_cluster/elasticsearch-8.10.3/configCoordinator1/elastic-certificates.p12
xpack.security.transport.ssl.truststore.type: PKCS12