Hello,
I configured a two nodes cluster with
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: "certificate"
xpack.security.transport.ssl.keystore.path: "application.keystore"
xpack.security.http.ssl.verification_mode: "certificate"
xpack.security.http.ssl.keystore.path: "application.keystore"
xpack.security.transport.ssl.truststore.path: "client.truststore"
xpack.security.transport.ssl.truststore.password: "pass"
xpack.security.transport.ssl.keystore.password: "pass"
xpack.security.http.ssl.keystore.password: "pass"
xpack.security.transport.ssl.keystore.key_password: "pass"
xpack.security.http.ssl.keystore.key_password: "pass"
I have two different ca signed certificates and i added one on each node (and in the trustore of each node the corresponding one).
I get
javax.net.ssl|SEVERE|B1|elasticsearch[node][transport_worker][T#66]|2023-05-02 15:08:56.928 UTC|TransportContext.java:316|Fatal (BAD_CERTIFICATE): Empty client certificate chain ( [2023-05-02T15:08:56,928][WARN ][stderr ] [node-mdtwnmst01ap02] "throwable" : { [2023-05-02T15:08:56,928][WARN ][stderr ] [node-mdtwnmst01ap02] javax.net.ssl.SSLHandshakeException: Empty client certificate chain [2023-05-02T15:08:56,928][WARN ][stderr ] [node-mdtwnmst01ap02] at sun.security.ssl.Alert.createSSLException(Alert.java:131) [2023-05-02T15:08:56,928][WARN ][stderr ] [node-mdtwnmst01ap02] at sun.security.ssl.Alert.createSSLException(Alert.java:117) [2023-05-02T15:08:56,928][WARN ][stderr ] [node-mdtwnmst01ap02] at sun.security.ssl.TransportContext.fatal(TransportContext.java:311) [2023-05-02T15:08:56,928][WARN ][stderr ] [node-mdtwnmst01ap02] at sun.security.ssl.TransportContext.fatal(TransportContext.java:267) [2023-05-02T15:08:56,928][WARN ][stderr ] [node-mdtwnmst01ap02] at sun.security.ssl.TransportContext.fatal(TransportContext.java:258) [2023-05-02T15:08:56,928][WARN ][stderr ] [node-mdtwnmst01ap02] at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1193)
for internode communication. Enabled debug, the server sends its certificates, the client finds the corresponding one in the truststore and then sends an empty list of certificates.
Note: this only happens when I try to use two different certificates - aka when adding
xpack.security.transport.ssl.truststore.path: "client.truststore"
xpack.security.transport.ssl.truststore.password: "pass"
With only one certificate, no matter which of them, everything works fine.
Also, this configuration also works fine with only one certificate in the chain (tried with self signed and ca signed, but no intermediary.)
I expect it's a chain issue. Is something wrong in the configuration?