License installation problems with x-pack on Elasticsearch 5.6.10

jhshen · November 8, 2019, 10:36pm

On Elasticsearch 5.6.10 complex, I recently installed x-pack and I've subscribed to Elastic licenses which has been downloaded. I've generated certificates for both the client machine and the CA Root certificate, and I've verified that the certs have not expired, and they can communicate by using:

[root@elkesq01 x-pack]# openssl verify -CAfile snopud-root-ca.cer elkesq01.cer
elkesq01.cer: OK

And on my /var/elasticsearch/elasticsearch.yml file I've verified certain settings including x-pack security settings such as::

network.host: (lists the IP address)

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: "/etc/elasticsearch/x-pack/elkesq01.key"
xpack.security.http.ssl.certificate: "/etc/elasticsearch/x-pack/elkesq01.cer"
xpack.security.http.ssl.certificate_authorities: ["/etc/elasticsearch/x-pack/snopud-root-ca.cer"]

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: "/etc/elasticsearch/x-pack/elkesq01.key"
xpack.security.transport.ssl.certificate: "/etc/elasticsearch/x-pack/elkesq01.cer"
xpack.security.transport.ssl.certificate_authorities: ["/etc/elasticsearch/x-pack/snopud-root-ca.cer"]

xpack.ssl.cipher_suites: [ "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA" ]

The problem is when I try to attempt to install the license using:

curl -XPUT -u elastic 'https://FQDN:9200/_xpack/license' -H "Content-Type: application/json" -d @(license).json

I get this message:

Enter host password for user 'elastic':
curl: (60) Certificate key usage inadequate for attempted operation.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

What are the things I should check on?

jhshen · November 8, 2019, 10:53pm

On re-creating the certificates using another method, this seems accept the license. I'll have to re-generate both the Kibana and the Logstash servers for everything to work.

system · December 6, 2019, 10:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.