Failed to load SSL configuration [xpack.security.transport.ssl] - the truststore [/etc/elasticsearch/certs/root.p12] does not contain any trusted certificate entries

TimV · September 16, 2024, 4:03am

See the note here:

Security settings in Elasticsearch | Elasticsearch Guide [8.15] | Elastic

Storing trusted certificates in a PKCS#12 file, although supported, is uncommon in practice. The elasticsearch-certutil tool, as well as Java’s keytool, are designed to generate PKCS#12 files that can be used both as a keystore and as a truststore, but this may not be the case for container files that are created using other tools. Usually, PKCS#12 files only contain secret and private entries. To confirm that a PKCS#12 container includes trusted certificate ("anchor") entries look for 2.16.840.1.113894.746875.1.1: <Unsupported tag 6> in the openssl pkcs12 -info output, or trustedCertEntry in the keytool -list output.

In general, you cannot use openssl to create a PKCS#12 truststore for Elasticsearch.
Since you already have a PEM formatted CA (root.crt) you should use that directly.

Topic		Replies	Views
ElasticSearch Linux startup failed. Procedure Elasticsearch elastic-stack-security	11	6382	April 17, 2022
Truststore does not contain any trusted certificate entries Elasticsearch	1	1016	August 14, 2023
Transport ssl cannot read configured Elasticsearch elastic-stack-security	1	184	June 19, 2024
Failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured [PKCS12] Elasticsearch elastic-stack-security , docker	4	496	March 19, 2024
Failed to start elasticsearch\|\| ssl error Elasticsearch	5	76	August 21, 2025

Failed to load SSL configuration [xpack.security.transport.ssl] - the truststore [/etc/elasticsearch/certs/root.p12] does not contain any trusted certificate entries

Related topics