Eroor setting up SSL on multi node ES cluster - no cipher suites in common


(Santanu Saha) #1

I have Elasticsearch cluster of two nodes ( and After enabling ssl/tls I am getting following error on elastic search startup.

Stacktrace of datanode3

[2016-07-01 07:16:04,877][WARN ][shield.transport.netty ] [datanode3] exception caught on transport layer [[id: 0xe0f9ff30, => /]], closing connection no cipher suites in common

Cooreponding stack trace from loggerdb2
[2016-07-01 09:15:35,211][ERROR][shield.transport.netty ] [loggerdb2] SSL/TLS handshake failed, closing channel: Received fatal alert: handshake_failure
[2016-07-01 09:15:35,226][WARN ][shield.transport.netty ] [loggerdb2] exception caught on transport layer [[id: 0xffeaa7b8, / :>]], closing connection Received fatal alert: handshake_failure

Below mentioned the steps that I followed to setup SSL with self signed certificates

Two nodes datanode3 and loggerdb2.
Setting up certificate authority

mkdir -p ca/private ca/certs ca/conf

cd ca
echo '01' > serial
touch index.txt

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out certs/cacert.pem -days 1460 -config conf/caconfig.cnf

Create a keystore and generate a certificate for the node(datanode3)

keytool -importcert -keystore /etc/elasticsearch/shield/node3.jks -file /root/us67m/keys/ca/certs/cacert.pem

Create a certificate signing request (CSR).

keytool -genkey -alias esnode -keystore esnode.jks -keyalg RSA -keysize 2048 -validity 712 -ext,ip:,,ip:

keytool -certreq -alias esnode -keystore esnode.jks -file esnodecsr.csr -keyalg rsa -ext,ip:,,ip:

Send the certificate to your CA for signing.

openssl ca -in esnodecsr.csr -notext -out esnode-signed.crt -config conf/caconfig.cnf -extensions v3_req

Add the signed certificate to the node’s keystore.

keytool -importcert -keystore /etc/elasticsearch/shield/node3.jks -file /root/us67m/keys/ca/esnode-signed.crt -alias esnode

For loggerdb2 node I am using the same cacert.pem and esnode-signed.crt generated above
================================For loggerdb2=========================
keytool -importcert -keystore /etc/elasticsearch/shield/loggerdb2.jks -file /root/us67m/keys/ca/certs/cacert.pem
keytool -importcert -keystore /etc/elasticsearch/shield/loggerdb2.jks -file /root/us67m/keys/ca/esnode-signed.crt -alias esnode

Below are my elasticsearch.yml configurations for SSL
loggerdb2 node
#-----------------------------Configuration for SSL ----------------------
shield.ssl.keystore.path: /etc/elasticsearch/shield/loggerdb2.jks
shield.ssl.keystore.password: esnode
shield.transport.ssl: true
shield.transport.http: false
shield.ssl.ciphers: [ "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA" ]

shield.http.filter.allow: [ "", "" ]

#-------------------------------End configuration for SSL ----------------- ["", ""]
discovery.zen.ping_timeout: 50s false

datanode3 node. rest are same as loggerdb2

#--------------------------------SSL Configuration----------------
shield.ssl.keystore.path: /etc/elasticsearch/shield/node3.jks
shield.ssl.keystore.password: esnode

Any help will be much appreciated as I am stuck here.

(system) #2