Forming an Elasticsearch cluster

Elastic Stack Elasticsearch
1

Hello,

I’m trying to add a second node to my ES cluster but I’m facing issues with SSL handshake.

[2025-12-14T15:38:54,881][WARN ][o.e.t.TcpTransport       ] [SCPRLUWS05] exception caught on transport layer [Netty4TcpChannel{localAddress=/<NODE_2>:56786, remoteAddress=/<NODE_1>:9300, profile=default}], closing connectionio.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: (certificate_unknown) Received fatal alert: certificate_unknown
at io.netty.codec@4.1.118.Final/io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:500)
at io.netty.codec@4.1.118.Final/io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
at io.netty.transport@4.1.118.Final/io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)

See logs for more details.

I tried using same keystore / truststore for both http & ssl (both servers are under the same certificate)
That didnt work and i got the above error.
2nd Attempt : I tried to use another server with it’s own keystore, changed truststore to certificate_authorities and added the root_CA.crt file and still got the same error.

ELK version : 9.0.3
First node OS : Windows
Second node OS : Linux

First node config :

http.host: 0.0.0.0
http.port: 9200



xpack.security.enabled: true
#xpack.security.transport.ssl.enabled: true
xpack.security.enrollment.enabled: true



xpack.security.http.ssl:
enabled: true
verification_mode: certificate
keystore.path: "****/keystore2.p12"
truststore.path: "****/truststore.p12"

xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: "****/keystore2.p12"
certificate_authorities: "****/ROOT_CA.crt"

network.host: 0.0.0.0
cluster.name: ES_CLUSTER
cluster.initial_master_nodes: ["****05", "*****06"]
node.name: ****05

discovery.seed_hosts:

****.94

****.95

action.auto_create_index: true

http.max_content_length: 500mb

ingest.geoip.downloader.enabled: false

Second Node config :

action.destructive_requires_name: false
http.host: 0.0.0.0
http.port: 9200


xpack.security.enabled: true
#xpack.security.transport.ssl.enabled: true
xpack.security.enrollment.enabled: true


xpack.security.http.ssl:
enabled: true
verification_mode: certificate
keystore.path: "***/****_keystore.p12"
truststore.path: "****_truststore.p12"

xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: "****/****_keystore.p12"
certificate_authorities: "****/ROOT_CA.crt"

network.host: 0.0.0.0
cluster.name: ES_CLUSTER
cluster.initial_master_nodes: ["****05", "****05"]
node.name: SCPRLUWS05

discovery.seed_hosts:

****.94

****.84

action.auto_create_index: true

http.max_content_length: 500mb
2

Yes that’s almost certainly incorrect - see these docs for further information, particularly:

In most cases, you should not use the same certificate for both HTTP and transport connections.

If it’s really the same certificate_unknown error then I’d guess you’re using different CAs for the two nodes. Typically you’d want to use the same CA for both but you can technically use a different CA as long as each node trusts the other node’s CA root cert. You must also check that the keystores you’re supplying actually contain certificates issued by the root CA, not just keys.