Failed to load SSL configuration [xpack.security.transport.ssl] - the truststore [/etc/elasticsearch/certs/root.p12] does not contain any trusted certificate entries

I am trying to create my own PKCS12 certificate files to use with elasticsearch, but when I do systemctl start elasticsearch, I get this error:

2024-09-15T01:24:22,581][ERROR][o.e.b.Elasticsearch      ] [node1] fatal exception while booting Elasticsearch
org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - the truststore [/etc/elasticsearch/certs/ca/root.p12] does not contain any trusted certificate entries
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:620) ~[?:?]
        at java.util.HashMap.forEach(HashMap.java:1429) ~[?:?]
        at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1708) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.loadSslConfigurations(SSLService.java:616) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:160) ~[?:?]
        at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:496) ~[?:?]
        at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:325) ~[?:?]
        at org.elasticsearch.node.NodeConstruction.lambda$construct$13(NodeConstruction.java:868) ~[elasticsearch-8.15.1.jar:?]
        at org.elasticsearch.plugins.PluginsService.lambda$flatMap$1(PluginsService.java:253) ~[elasticsearch-8.15.1.jar:?]
        at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:288) ~[?:?]
        at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:212) ~[?:?]
        at java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:722) ~[?:?]
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:556) ~[?:?]
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:546) ~[?:?]
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:622) ~[?:?]
        at java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:291) ~[?:?]
        at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:631) ~[?:?]
        at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:637) ~[?:?]
        at java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:642) ~[?:?]
        at org.elasticsearch.node.NodeConstruction.construct(NodeConstruction.java:868) ~[elasticsearch-8.15.1.jar:?]
        at org.elasticsearch.node.NodeConstruction.prepareConstruction(NodeConstruction.java:270) ~[elasticsearch-8.15.1.jar:?]
        at org.elasticsearch.node.Node.<init>(Node.java:192) ~[elasticsearch-8.15.1.jar:?]
        at org.elasticsearch.bootstrap.Elasticsearch$2.<init>(Elasticsearch.java:242) ~[elasticsearch-8.15.1.jar:?]
        at org.elasticsearch.bootstrap.Elasticsearch.initPhase3(Elasticsearch.java:242) ~[elasticsearch-8.15.1.jar:?]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:76) ~[elasticsearch-8.15.1.jar:?]
Caused by: org.elasticsearch.common.ssl.SslConfigException: the truststore [/etc/elasticsearch/certs/ca/root.p12] does not contain any trusted certificate entries
        at org.elasticsearch.common.ssl.StoreTrustConfig.checkTrustStore(StoreTrustConfig.java:134) ~[?:?]
        at org.elasticsearch.common.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:84) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:479) ~[?:?]
        at java.util.HashMap.computeIfAbsent(HashMap.java:1228) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:618) ~[?:?]
        ... 24 more

I will show the steps I ran on Ubuntu 22.04.

Install Elasticsearch like this:

apt-get install -y gnupg gpg;

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg;
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list;
apt-get install -y apt-transport-https;
apt-get update;
apt-get install -y elasticsearch;

Then you can make the root.p12 and entity.p12 like this:

# make a directory for ca certs
mkdir /etc/elasticsearch/certs/ca;
cd /etc/elasticsearch/certs/ca;

# make root.key, root.crt and root.p12
openssl genrsa -out root.key 2048
openssl req -x509 -sha256 -nodes -key root.key \
-subj "/C=CA/ST=ON/O=ElasticDemo/CN=ca.example.com" -days 3650 -out root.crt

# enter a password when prompted
openssl pkcs12 -export -out root.p12 -inkey root.key -in root.crt

cd /etc/elasticsearch/certs/

# make entity.key, entity.crt, entity.p12 for each domain
fqdn="node1.example.com"

mkdir -p "$fqdn";

cd "$fqdn";

# create a template meta.cnf file
cat >meta.cnf <<EOL
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = ${fqdn}
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${fqdn}
EOL

openssl genrsa -out entity.key 2048

openssl req -new -sha256 -nodes -key entity.key -config meta.cnf -out entity.csr

openssl x509 -req -in entity.csr -CA ../ca/root.crt -CAkey ../ca/root.key \
  -CAcreateserial -out entity.crt -days 500 -sha256 -extensions v3_req \
  -extfile meta.cnf;

# enter a password when prompted
openssl pkcs12 -export -out entity.p12 -inkey entity.key -in entity.crt


chown -R elasticsearch:elasticsearch /etc/elasticsearch/certs

Running this command shows the certs look ok:

openssl pkcs12 -info -in /etc/elasticsearch/certs/ca/root.p12 -nokeys

I then made this for my /etc/elasticsearch/elasticsearch.yml:

cluster.name: my-application
node.name: node1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: node1.example.com
http.port: 9200
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/node1.example.com/entity.p12
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/node1.example.com/entity.p12
  truststore.path: certs/ca/root.p12
cluster.initial_master_nodes: ["node1"]
http.host: 0.0.0.0

I ran these commands to set the password for keystore and truststore:

/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

I started elasticsearch with systemctl start elasticsearch. This yielded and error and asked me to look in the /var/log/elasticsearch/my-application.log file, which is what I pasted at the beginning of this question.

What did I do wrong?

Hi @learningelastic

I am not sure anyone will got through all your steps and debug it for you...

Perhaps follow the documentation, get it to work and the if you want to recreate with raw openssl you will something to compare too ..

You can open / read the certs with openssl and recreate them

See the note here:

• Security settings in Elasticsearch | Elasticsearch Guide [8.15] | Elastic

Storing trusted certificates in a PKCS#12 file, although supported, is uncommon in practice. The elasticsearch-certutil tool, as well as Java’s keytool, are designed to generate PKCS#12 files that can be used both as a keystore and as a truststore, but this may not be the case for container files that are created using other tools. Usually, PKCS#12 files only contain secret and private entries. To confirm that a PKCS#12 container includes trusted certificate ("anchor") entries look for 2.16.840.1.113894.746875.1.1: <Unsupported tag 6> in the openssl pkcs12 -info output, or trustedCertEntry in the keytool -list output.

In general, you cannot use openssl to create a PKCS#12 truststore for Elasticsearch.
Since you already have a PEM formatted CA (root.crt) you should use that directly.

Thank you to both you and @stephenb . The note about 2.16.840.1.113894.746875.1.1: <Unsupported tag 6> was exactly my problem!