I've set up a CA and generated my own cert using the following commands:-
Create root private CA key
winpty openssl genrsa -aes256 -out private/ca.key.pem 4096
Create root cert.
winpty openssl req -config openssl-ca.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
openssl req -newkey rsa:2048 -out ukselastic.csr -key private.key -sha256 -days 730 -outform PEM
Sign the CSR with the CA.
winpty openssl x509 -req -days 730 -CA certs/ca.cert.pem -CAkey private/ca.key.pem -CAcreateserial -CAserial serial -in ukselastic.csr -out ukselastic.pem
(actually from https://stackoverflow.com/questions/32072668/openssl-sign-https-client-certificate-with-ca )
However when I copy across the ukselastic.pem and the private.key files to the server and amend the config to look at them, ES refuses to start and comes back with
which contains "unable to find valid certification path to requested target". The strange thing is I'm using this exact same configuration on the first node, and it start up just fine. It's even using the same certs, as they are SAN certs which include all the names for the nodes. Even if there was a problem with the SAN cert, I would have expected it to fail on both nodes.
I guess I'm barking up the wrong tree, but I really can't see what's wrong with my config.
EDIT: After posting this I wondered if it's an ordering thing, so I tried starting node1 and then node0. Lo and behold, node1 starts just fine, but as soon as I start node 0 I get the errors. Not sure if this helps me at all, but it's another fact to consider.