@TimV
As per your suggestion, I copied the same 4 certificates into /user/share/elasticsearch/config and updated the config to
xpack.http.ssl.verification_mode: certificate
xpack.http.ssl.certificate_authorities: ["/user/share/elasticsearch/config/foo-orca-g2.crt","/user/share/elasticsearch/config/foo-root-ca.crt","/user/share/elasticsearch/config/foo-issuing-ca02.crt",""/user/share/elasticsearch/config/foo-issuing-ca02-g2.crt"]
However, I'm still seeing the exact same error?
Do I need to do anything further? for e.g. import into a local keystore or something?
You mentioned if I try and bring it up without the certs it shouldn't start, but that's not what's going on here as it does start. It's when the watcher action is invoked, the errors are being logged. The elasticsearch instance is still up and available though.
Also, on a separate not, previously I tried with option of "xpack.http.ssl.verification_mode: none", should this not just disable any SSL verification and allowed the connection to the url anyway as per documentation?