Generate node certificate

What am I doing wrong? missing some option, parameter?

I have my cluster setup with certificate and working fine with following config on all nodes.
it was created using

/usr/share/elasticsearch/bin/elasticsearch-certutil cert cert --ca elastic-certificates.p12

Same as describe in this link
https://www.elastic.co/guide/en/elasticsearch/reference/8.6/security-basic-setup.html

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/config/elastic-certificates.p12

and now when I try to generate certificate for node using ca that I have , it give me this error
following this - https://www.elastic.co/guide/en/elasticsearch/reference/8.6/security-basic-setup-https.html

Exception in thread "main" java.lang.IllegalArgumentException: ca certificate is not a CA!
        at org.elasticsearch.xpack.security.cli.CertGenUtils.generateSignedCertificate(CertGenUtils.java:250)
        at org.elasticsearch.xpack.security.cli.HttpCertificateCommand.writeCertificateAndKeyDetails(HttpCertificateCommand.java:365)
        at org.elasticsearch.xpack.security.cli.HttpCertificateCommand.writeZip(HttpCertificateCommand.java:267)
        at org.elasticsearch.xpack.security.cli.HttpCertificateCommand.execute(HttpCertificateCommand.java:238)
        at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:54)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
        at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:94)
        at org.elasticsearch.xpack.security.cli.CertificateTool.execute(CertificateTool.java:160)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
        at org.elasticsearch.cli.Command.main(Command.java:50)
        at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:64)

You have cert in there teice

ya that was typo. but that part works.

second part is not

Can you show the actual commands not just error?

Hard.to help without it.

Can you show the actual commands, the output files and errors in sequence?

Ohh and not sure if another typo

That should be
--ca elastic-certificate-ca.p12

Whenever you use the CA flag this or after it has to be the CA. I don't know if that was a typo too

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.