Thanks @ikakavas,
Hacking ES nodes is one of the new sports and I'd like to maximize security and narrow down who has access to the ES node. Though I'm not that well versed in SSL setups, so I usually go with the most secure one if possible. Also, I do have several other built-in and custom users connecting to ES. I don't see the point in changing the setting to "optional". I mean, the issue will likely go away, but from that point one could connect to ES with un+pw without providing a trusted CA, right?
Since this was working in previous versions, did something change specifically?
I'm sorry for these questions but I want to upgrade and keep the stack secured too.