Elastic 8.10.3 failed to establish trust with server at [<unknown host>]; the server provided a certificate with subject name

efrainMZ · October 24, 2023, 5:57pm

Hello good morning!

I am trying to create an elastic cluster in version 8.10.3 but when starting the coordinator role I get the following error:

[ithrtc3aen1elk1-coordinator-1] failed to establish trust with server at [<unknown host>]; the server provided a certificate with subject name [CN=Elastic Certificate Tool Autogenerated CA], fingerprint [aa90cab2606f05f43fcd1ef5ccdc012f8957dc28], no keyUsage and no extendedKeyUsage; the certificate is valid between [2019-09-04T22:17:11Z] and [2022-09-03T22:17:11Z] (current time is [2023-10-24T17:42:40.782165681Z], ** certificate has expired ); the session uses cipher suite [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] and protocol [TLSv1.2]; the certificate does not have any subject alternative names; the certificate is self-issued; the [CN=Elastic Certificate Tool Autogenerated CA] certificate is not trusted in this ssl context ([xpack.security.transport.ssl (with trust configuration: StoreTrustConfig{path=/home/elk/new_cluster/elasticsearch-8.10.3/configCoordinator1 /elastic-certificates.p12, password=<non-empty>, type=PKCS12, algorithm=PKIX})]); this ssl context does trust a certificate with subject [CN=Elastic Certificate Tool Autogenerated CA] but the trusted certificate has fingerprint [6d4a7492377c7f2d81a988422606f6dfa8854af7]sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
        at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:318)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:267)
        at java.base/sun.security.validator.Validator.validate(Validator.java:256)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:284)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)

See logs for more details.

The configuration of the coordinator role is as follows:

# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: oym-cluster-new
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: ithrtc3aen1elk1-coordinator-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /elasticsearch/elastic-8.10.3/dataCoordinator1
#
# Path to log files:
#
path.logs: /elasticsearch/elastic-8.10.3/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: 10.119.131.8
#
# Set a custom port for HTTP:
#
http.port: 9270
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when new node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.zen.ping.unicast.hosts: ["10.119.131.8", "10.119.131.10", "10.119.131.12"]
discovery.seed_hosts: ["10.119.131.8", "10.119.131.10", "10.119.131.12"]
#
# Set a custom port for Transport:
#
#transport.port: 9301 - 9400
#
# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
#
#discovery.zen.minimum_master_nodes: 2
cluster.initial_master_nodes: ["ithrtc3aen1elk1-master-1","ithrtc3aen1elk2-master-1","ithrtc3aen1elk3-master-1"]
#
# For more information, consult the zen discovery module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
#
xpack.ml.enabled: true
node.attr.rack_id: elk1
cluster.routing.allocation.awareness.attributes: rack_id
xpack.monitoring.collection.enabled: false
xpack.security.enabled: true
xpack.security.http.ssl.enabled: false
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /home/elk/new_cluster/elasticsearch-8.10.3/configCoordinator1/elastic-certificates.p12
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.truststore.path: /home/elk/new_cluster/elasticsearch-8.10.3/configCoordinator1/elastic-certificates.p12
xpack.security.transport.ssl.truststore.type: PKCS12

leandrojmp · October 24, 2023, 7:23pm

the server provided a certificate with subject name [CN=Elastic Certificate Tool Autogenerated CA], fingerprint [aa90cab2606f05f43fcd1ef5ccdc012f8957dc28], no keyUsage and no extendedKeyUsage; the certificate is valid between [2019-09-04T22:17:11Z] and [2022-09-03T22:17:11Z] (current time is [2023-10-24T17:42:40.782165681Z], ** certificate has expired )

The certificate is expired, you can't add a new node on a cluster with an expired certificate.

You need to generate new certificates for your cluster.

efrainMZ · October 24, 2023, 8:46pm

Hello leadrojmp!
I thought the same thing about the expiration of the certificate but I have a master role and when I start it the same error does not return, how can I know if my certificate is expired?

efrainMZ · October 24, 2023, 9:01pm

My certificate is valid and has not expired yet:

(base) [elk@ithrtc3aen1elk1 configCoordinator1]$ keytool -keystore elastic-stack-ca.p12 -list -v
Enter keystore password:
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: certificado-new
Creation date: Oct 24, 2023
Entry type: trustedCertEntry

Owner: CN=Elastic Certificate Tool Autogenerated CA
Issuer: CN=Elastic Certificate Tool Autogenerated CA
Serial number: 23b4ab1b5c3048aff5e6c9b761f88c1fac46cbec
Valid from: Tue Oct 24 10:53:58 CST 2023 until: Fri Oct 23 10:53:58 CST 2026
Certificate fingerprints:
         SHA1: 6D:4A:74:92:37:7C:7F:2D:81:A9:88:42:26:06:F6:DF:A8:85:4A:F7
         SHA256: 05:D7:95:77:99:15:BE:85:39:7F:88:39:54:43:ED:3A:E1:6C:17:62:6C:E8:AC:E8:21:9D:CF:EF:91:DE:E5:9D
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F6 C5 1E 53 C4 F7 0E 73   81 78 B1 85 1F 19 80 B0  ...S...s.x......
0010: 9F 09 A4 D4                                        ....
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F6 C5 1E 53 C4 F7 0E 73   81 78 B1 85 1F 19 80 B0  ...S...s.x......
0010: 9F 09 A4 D4                                        ....
]
]



*******************************************
*******************************************

TimV · October 25, 2023, 5:45am

My certificate is valid and has not expired yet:

Your original error message says:

this ssl context does trust a certificate with subject [CN=Elastic Certificate Tool Autogenerated CA] but the trusted certificate has fingerprint [6d4a7492377c7f2d81a988422606f6dfa8854af7]

That means you have two different CA certificates in use. The one you posted here hasn't expired, but it seems that you have another one somewhere.

efrainMZ · October 25, 2023, 2:30pm

Hello Tim Vernum good morning!
I don't understand why it seems to be like this, I have copied the certificate from the master role to the coordinator role and with the master it works very well.

How could I validate the certificate I use for each role?

TimV · October 26, 2023, 6:10am

The problem is on whatever node the coordinator is trying to connect to.

I suspect it's one of the seed hosts, but I can't be sure.

discovery.seed_hosts: ["10.119.131.8", "10.119.131.10", "10.119.131.12"]

You'll need to check the keystore for each of those nodes.

efrainMZ · October 26, 2023, 5:01pm

Hi TimV!

Could this be the problem even if the other nodes are not active? I was starting the configuration is the first node

TimV · October 29, 2023, 11:21am

It sounds like there's another Elasticsearch node running on one of those machines.

Given that it has an expired certificate, perhaps it's an old node that someone forgot about?

system · November 26, 2023, 11:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.