hello , i have a cluster of 3 nodes and i want to add a new node to the cluster, for that i need to regenerate a new certificate for this new node;
i generate the first certs using this command:
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --keep-ca-key ca --pem --in /etc/elasticsearch/instance.yml --out /etc/elasticsearch/certss.zip
and i try to regenerate the new certs for es4 node using this command:
but when starting the new node i got this warn:
[es4] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress.
The first command has some odditiy in that it has a ca parameter after --keep-ca-key. It is not necessary but does not seem to cause any issue. The problem is most likely related to the configurations around TLS, e.g. either the CA is not configured consistently or the ca file used to generate the cert is not the one used for the old nodes.
It would be helpful if you could share the followings for further diagnosis:
Relevant sections in the Elasticsearch.yml file of the old nodes and new node.
No you need the key to generate any new certs. You can however reuse certs of existing nodes for the new node if the verification_mode is configured to be certificate.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.