Received fatal alert: bad_certificate

Hello All,

I configured 4 node Elasticsearch cluster. 1 -M, 2-M/D and 1 - D nodes. I have encrypted TLS using p12 and generated pem to get the organisation signed certificates.

Certificate was generated as below.

./keytool -genkeypair -alias elastic-dev1 -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keypass <> -storepass <> -validity 3650 -keystore elastic-dev1.jks -dname ", OU=Data, O=example Banking Group, L=Melbourne, ST=VIC, C=AU" -ext,DNS:delaa01l.unix.example,DNS:delaa02l.unix.example

Generate .pem certificate
./keytool -certreq -alias elastic-dev1 -file certreq.pem -keystore elastic-dev1.jks -ext,DNS:delaa01l.unix.example,DNS:delaa02l.unix.example

Create a directory 'certs' at the location '/app/elasticsearch/config' and copy the elastic-dev1.jks file into certs directory
Raise a request for CA signer certificates. Click on the below url and follow the steps mentioned in the section "Request for CA Signer certificate"

Once we receive the certificate then download all the internal certs (, example_GlobalTest_Root_CA_v2.cer and example_GlobalTest_CA_02_v2.cer) to the location ''/app/elastic/config/certs' of elastic server.

executed the below commands
./keytool -importcert -file example_GlobalTest_Root_CA_v2.cer -keystore elastic-dev1.jks -alias "example_GlobalTest_Root_CA_v2"
./keytool -importcert -file example_GlobalTest_CA_02_v2.cer -keystore elastic-dev1.jks -alias "example_GlobalTest_CA_02_v2"
./keytool -importcert -file -keystore elastic-dev1.jks -alias ""
./keytool -importkeystore -srckeystore elastic-dev1.jks -destkeystore elastic-dev1.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass [PASSWORD_PKCS12]

openssl pkcs12 -in elastic-dev1.p12 -out client-ca.pem -clcerts -nokeys
Copy all certs to /etc/elasticsearch/certs and created soft-link to config location.

Done in all nodes.

Cluster is able to start, however getting below error..
[2021-02-25T00:18:12,396][WARN ][o.e.t.TcpTransport ] [] exception caught on transport layer [Netty4TcpChannel{localAddress=/, remoteAddress=/}], closing connection
io.netty.handler.codec.DecoderException: Received fatal alert: bad_certificate
at io.netty.handler.codec.ByteToMessageDecoder.callDecode( ~[netty-codec-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead( ~[netty-codec-4.1.49.Final.jar:4.1.49.Final]
at [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at$HeadContext.channelRead( [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at$ [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$ [netty-common-4.1.49.Final.jar:4.1.49.Final]
at io.netty.util.internal.ThreadExecutorMap$ [netty-common-4.1.49.Final.jar:4.1.49.Final]
at [?:?]
Caused by: Received fatal alert: bad_certificate

[elastic@delaa11l /app/elastic/fmp-e2e2/elasticsearch/config] $ curl -XGET '' -H'Content-Type: application/json'
curl: (60) Issuer certificate is invalid.
More details here:

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

You need to also show us your elasticsearch.yml and specifically the parts where you configure TLS.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.