The first command has some odditiy in that it has a ca parameter after --keep-ca-key. It is not necessary but does not seem to cause any issue. The problem is most likely related to the configurations around TLS, e.g. either the CA is not configured consistently or the ca file used to generate the cert is not the one used for the old nodes.
It would be helpful if you could share the followings for further diagnosis:
- Relevant sections in the Elasticsearch.yml file of the old nodes and new node.
- Complete log messages around the exception.