This has been posted a few times, but threads have been auto-closed without an explicit explanation.
I'm posting this as this really either needs to be changed/fixed in Elasticsearch, or DOCUMENTED. It does not seem to be documented, nor posted in the forum that it is not currently possible to use token enrollment with PEM certificates. Not having a keystore will make it impossible to do to token enrollment. At least this is my unconfirmed assertion.
ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration is not configured with a keystore
It is in the documentation, that whenever one uses
xpack.security.*.ssl.[key|certificate|certificate_authorities] is mutually exclusive with
xpack.security.*.ssl.[keystore|truststore]. And Elasticsearch will work well with, per say, Let's Encrypt (or other ACME distributed certificates) for both TRANSPORT (internode, 9300?) and HTTP(s) (direct API, 9200? ) - however, once configuring these options this effectively breaks
So the process for initial setup of a cluster is , run all nodes in a autoconfig - with auto-generated certificates,
xpack.security.enrollment.enabled: true xpack.security.autoconfiguration.enabled: true xpack.security.enabled: true path.data: /elastic/data path.logs: /var/log/elasticsearch
Then , use
elasticsearch-create-enrollment-token then, enroll the other nodes via
elasticsearch --enrollment-token. After the cluster is up, you can then switch out the certificates to self-sign PEMs.
Since most things in my network use flat PEM files, the certificate management is designed for this. A one-off system to auto import these into the keystore, when they renew every ~60 days, seems to be a solution ... however super annoying. It is likely possible to use the 3rd party CA signed certificates, however, these must be in keystores, not PEM file.
It doesn't look like the enrollment-token is being saved in the keystore - as the pk12 files are not modified at
create-enrollment-token time, so this must be an artificial check.
This creates an additional problem, as then when certificates are moved to PEM and keystore is disabled, then new nodes cannot be enrolled. (yes?)
This really makes using PEM certificates dangerous and pointless, especially in a production environment.
Can someone please actually confirm this assertion ?
If not, how does one do token enrollment with PEM certificates ?
Can Elastic please update their documentation?
Can this be fixed ? This is seemingly arbitrary enforcement/limitation.