Hello, I'm trying to configure TLS between es01, es02 and kibana (docker containers) with certificates from certificate chain [CA_cert - Intermediate_cert - Server_cert]. Below you can see the excerpt of the yml file where I'm setting up xpack security, and the error I am receiving when trying to ./bin/elasticsearch-setup-passwords auto from es01.
- xpack.license.self_generated.type=trial
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.verification_mode=certificate
- xpack.security.http.ssl.key=$CERTS_DIR/es01.key
- xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/Root_CA_2012.cer
- xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/Sub2_CA_2012.cer
- xpack.security.http.ssl.certificate=$CERTS_DIR/es01.cer
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/Root_CA_2012.cer
- xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/Sub2_CA_2012.cer
- xpack.security.transport.ssl.certificate=$CERTS_DIR/es01.cer
- xpack.security.transport.ssl.key=$CERTS_DIR/es01.key
Checking cluster health: https://192.168.48.3:9200/_cluster/health?pretty
{
"error" : {
"root_cause" : [
{
"type" : "master_not_discovered_exception",
"reason" : null
}
],
"type" : "master_not_discovered_exception",
"reason" : null
},
"status" : 503
}
Failed to determine the health of the cluster running at https://192.168.48.3:9200
Unexpected response code [503] from calling GET https://192.168.48.3:9200/_cluster/health?pretty
Cause: master_not_discovered_exception
It is recommended that you resolve the issues with your cluster before running elasticsearch-setup-passwords.
It is very likely that the password changes will fail when run against an unhealthy cluster.
It looks like the problem is that TLS is not being established between es01 and es02.
2021-07-02T09:54:04.219542828Z {"type": "server", "timestamp": "2021-07-02T09:54:04,218Z", "level": "WARN", "component": "o.e.c.s.DiagnosticTrustManager", "cluster.name": "es-docker-cluster", "node.name": "es01", "message": "failed to establish trust with client at [<unknown host>]; the client provided a certificate with subject name [CN=es02] and fingerprint [8ed4d2bd59aae371e46de7a224d83367f77f55c9]; the certificate is issued by [CN=Sub2 CA 2012,DC=mydomen,DC=net] but the client did not provide a copy of the issuing certificate in the certificate chain; the issuing certificate with fingerprint [dd1a2abb0047a58642030c226fb73b7d0ed5ec96] is trusted in this ssl context ([xpack.security.transport.ssl])",
Maybe I'm wrong. Can you help me?
P.S. it's my first case at this forum, sorry for formatting.