Empty certificate chain on internode handshake with different certificate on each node

Hello,
I configured a two nodes cluster with

xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: "certificate"
xpack.security.transport.ssl.keystore.path: "application.keystore"
xpack.security.http.ssl.verification_mode: "certificate"
xpack.security.http.ssl.keystore.path: "application.keystore"
xpack.security.transport.ssl.truststore.path: "client.truststore"
xpack.security.transport.ssl.truststore.password: "pass"
xpack.security.transport.ssl.keystore.password: "pass"
xpack.security.http.ssl.keystore.password: "pass"
xpack.security.transport.ssl.keystore.key_password: "pass"
xpack.security.http.ssl.keystore.key_password: "pass"

I have two different ca signed certificates and i added one on each node (and in the trustore of each node the corresponding one).
I get
javax.net.ssl|SEVERE|B1|elasticsearch[node][transport_worker][T#66]|2023-05-02 15:08:56.928 UTC|TransportContext.java:316|Fatal (BAD_CERTIFICATE): Empty client certificate chain ( [2023-05-02T15:08:56,928][WARN ][stderr ] [node-mdtwnmst01ap02] "throwable" : { [2023-05-02T15:08:56,928][WARN ][stderr ] [node-mdtwnmst01ap02] javax.net.ssl.SSLHandshakeException: Empty client certificate chain [2023-05-02T15:08:56,928][WARN ][stderr ] [node-mdtwnmst01ap02] at sun.security.ssl.Alert.createSSLException(Alert.java:131) [2023-05-02T15:08:56,928][WARN ][stderr ] [node-mdtwnmst01ap02] at sun.security.ssl.Alert.createSSLException(Alert.java:117) [2023-05-02T15:08:56,928][WARN ][stderr ] [node-mdtwnmst01ap02] at sun.security.ssl.TransportContext.fatal(TransportContext.java:311) [2023-05-02T15:08:56,928][WARN ][stderr ] [node-mdtwnmst01ap02] at sun.security.ssl.TransportContext.fatal(TransportContext.java:267) [2023-05-02T15:08:56,928][WARN ][stderr ] [node-mdtwnmst01ap02] at sun.security.ssl.TransportContext.fatal(TransportContext.java:258) [2023-05-02T15:08:56,928][WARN ][stderr ] [node-mdtwnmst01ap02] at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1193)
for internode communication. Enabled debug, the server sends its certificates, the client finds the corresponding one in the truststore and then sends an empty list of certificates.

Note: this only happens when I try to use two different certificates - aka when adding

xpack.security.transport.ssl.truststore.path: "client.truststore"
xpack.security.transport.ssl.truststore.password: "pass"

With only one certificate, no matter which of them, everything works fine.

Also, this configuration also works fine with only one certificate in the chain (tried with self signed and ca signed, but no intermediary.)

I expect it's a chain issue. Is something wrong in the configuration?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.