I'm getting "failed to load plugin class [org.elasticsearch.xpack.core.XPackPlugin]" and then right at the bottom of the exception I'm getting access denied ("java.io.FilePermission" "/certs/ca/ca.crt" "read") which is really odd because I've temporarily opened up the /certs directory permissions to 777 with a -R option, so it should be wide open for testing.
I installed the plugin using :- sudo /usr/share/elasticsearch/bin/elasticsearch-plugin install x-pack
And plugin list -v :-
# sudo /usr/share/elasticsearch/bin/elasticsearch-plugin list -v
Plugins directory: /usr/share/elasticsearch/plugins
- Plugin information:
Description: Elasticsearch Expanded Pack Plugin - Core
Native Controller: false
Requires Keystore: false
Extended Plugins: 
.... plus a whole load more.
Something awry here, but I'm not seeing it. Why would it not be able to read my certs, when the perms are wide open?
This looks like java security policy which is not allowing you read access to /certs/ca/ca.crt
You could modify the java security policy to add permission to /certs folder or
you could move /certs/* folder to say <ES-Home>/config/certs/*.
Also please update the elasticsearch.yml file after the change and restart ES.
Hope this resolves your problem.
That's brilliant, thanks. I wasn't aware that "java security policy" was even a thing, so really useful to know. It's now reading the certificates fine, and I'm getting "client did not trust this server's certificate, closing connection" so I'll need to do some googling for that one, and perhaps come back here if I can't figure that out.