Elasticsearch ssl configuration

Hi people.

I'm trying to setup Elasticsearch inside my environment but I'm hitting wall after wall after wall, and I'm honestly loosing hope.

I set up Elastic with Kibana, configured our organizations CA and certificate. Everything worked fine for a bit, until the problems started. I noticed that I wasn't getting any alerts, and Kibana started lagging very hard (which I found odd because the host has plenty of resources), so I did some troubleshooting. I found out that my cluster (composed of a single node) is in yellow health stage, with the following error:

"id": "elasticsearch:health:shards_availability:diagnosis:increase_tier_capacity_for_allocations:tier:data_hot",
          "cause": "Elasticsearch isn't allowed to allocate some shards from these indices to any of the nodes in the desired data tier because there are not enough nodes in the [data_hot] tier to allocate each shard copy on a different node.",
          "action": "Increase the number of nodes in this tier or decrease the number of replica shards in the affected indices.",
          "help_url": "https://ela.st/tier-capacity",

I followed the link, and learnt I have to add another node, so the replication shards can work properly. "Easy" I thought, then went to the following link
https://www.elastic.co/guide/en/elasticsearch/reference/current/add-elasticsearch-nodes.html

But, upon entering the first command, the issues started with the ssl configuration.

Since then, I've tried multiple different ways to generate the token, but all of them failed. I've tried:
*Using the certificates from before (returned "No subject alternative DNS name matching localhost found")
*Changing to p12 keystores instead of passing pem certificates (returned "the truststore does not contain any trusted certificate entries")
*Followed the advice from this link https://discuss.elastic.co/t/failed-to-load-ssl-configuration-xpack-security-transport-ssl-the-truststore-usr-share-elasticsearch-ssl-qa-pfx-does-not-contain-any-trusted-certificate-entries/343138 and changed just the truststore setting to certificate_authorities in PEM (returned "No subject alternative DNS name matching localhost found")
*Decided to screw it and user the internally generated CA and certificate from https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup.html (returned the truststore does not contain any trusted certificate entries)
*Decided to combine the options and exported the CA to pem (as found here https://discuss.elastic.co/t/the-truststore-does-not-contain-any-trusted-certificate-entries-after-upgrade-to-8-0/298338/4)

Right now I have decided to craft a p12 keystore myself with the use of keytool, and I have gotten the farthest yet, but I simply can't go over "Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration Keystore doesn't contain any PrivateKey entries where the associated certificate is a CA certificate, with exit code 73". Can someone please tell me what am I doing wrong?

Commands I use to generate the p12:

  1. create ssl p12 keystore with user certs:
    openssl pkcs12 -export -in lab.crt -inkey lab.key -out lab.crtandkey.p12
  2. create the same with CA but to PEM:
    cat selfsignCA.crt selfsignCA.key > selfsignCA.pem
  3. import the pem to p12:
    keytool -importcert -noprompt -keystore lab.p12 -storepass [pass] -trustcacerts -alias ca -file selfsignCA.pem

Now when I try to generate a token for node, I get the above error 73. Can someone tell me how to fix it, please?

Command I use to generate the token:
./elasticsearch-create-enrollment-token -s node --url "https://lab:9201"

I don't have a single idea on what else to try :frowning:

EDIT: I noticed that the localhost inside responses came from when I tried to use the command without --url option - even if I did with it, it still failed.