This has been posted a few times, but threads have been auto-closed without an explicit explanation.
I'm posting this as this really either needs to be changed/fixed in Elasticsearch, or DOCUMENTED. It does not seem to be documented, nor posted in the forum that it is not currently possible to use token enrollment with PEM certificates. Not having a keystore will make it impossible to do to token enrollment. At least this is my unconfirmed assertion.
ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration is not configured with a keystore
It is in the documentation, that whenever one uses xpack.security.*.ssl.[key|certificate|certificate_authorities]
is mutually exclusive with xpack.security.*.ssl.[keystore|truststore]
. And Elasticsearch will work well with, per say, Let's Encrypt (or other ACME distributed certificates) for both TRANSPORT (internode, 9300?) and HTTP(s) (direct API, 9200? ) - however, once configuring these options this effectively breaks xpack.security.enrollment.enabled
.
So the process for initial setup of a cluster is , run all nodes in a autoconfig - with auto-generated certificates,
xpack.security.enrollment.enabled: true
xpack.security.autoconfiguration.enabled: true
xpack.security.enabled: true
path.data: /elastic/data
path.logs: /var/log/elasticsearch
Then , use elasticsearch-create-enrollment-token
then, enroll the other nodes via elasticsearch --enrollment-token
. After the cluster is up, you can then switch out the certificates to self-sign PEMs.
Since most things in my network use flat PEM files, the certificate management is designed for this. A one-off system to auto import these into the keystore, when they renew every ~60 days, seems to be a solution ... however super annoying. It is likely possible to use the 3rd party CA signed certificates, however, these must be in keystores, not PEM file.
It doesn't look like the enrollment-token is being saved in the keystore - as the pk12 files are not modified at create-enrollment-token
time, so this must be an artificial check.
This creates an additional problem, as then when certificates are moved to PEM and keystore is disabled, then new nodes cannot be enrolled. (yes?)
This really makes using PEM certificates dangerous and pointless, especially in a production environment.
Can someone please actually confirm this assertion ?
If not, how does one do token enrollment with PEM certificates ?
Can Elastic please update their documentation?
Can this be fixed ? This is seemingly arbitrary enforcement/limitation.