Finally solved the many issues in the docs on this. Here are a few pointers to help out., This was solved on a Linux build, so is linux related, abut could also help with Windows.
I used this post as an instruction.., and it failed in many places. Secure Elasticsearch with TLS encryption and role-based access control | Elastic Blog
- take a Backup.. seriously. I found that I had to clear teh data directory, as that was holding onto the wrong UUID for the cluster I was securing.
- x-pack looks, by default, (under linux) in teh /etc/Elasticsearch folder... not the master folder (usr/share/Elasticsearch/config). So the certificate generated needs to be in there.
- Make sure the certificate is owned by Elasticsearch:Elasticsearch, and has 0600 permissions.
- Intially have your cluster down, and start up a master node only.
- Once you have set up teh TLS security on teh Master..,, dont try adding uids passwords... as there is no data node to write to, and it times out.
Only do this on the master, when you have fired up a data node as well. - You may have to clear the data directory, as old cluster UUIDs could cause failure.
- Use the systemctl command to fire up your node, as you may find that non Elasticsearch users dont have access to the /tmp and other directories. Its then worthwhile 'tailing' the [cluster-name].log file to see teh output.
- Only fire up the master, then one data node, first to make sure all is working. Once it is.. you can continue with the other nodes that you have, using the same certificate... which will probably involve you copying it around the cluster.. the blog post carefully had both nodes on the same laptop, making it sooo much easier ;-D
Hope this helps some people.. cos I spent more than a day tracking down the various issues with the docs... but finally have a fully functioning cluster that is TLS protected on internode comms, and uid/pwn protected on teh 2 outward facing nodes (its a PoC system.., in a remote company.., and not many have a static IP like I do.., before people shout me down for insecure clusters ) .