On Elasticsearch 5.6.10 complex, I recently installed x-pack and I've subscribed to Elastic licenses which has been downloaded. I've generated certificates for both the client machine and the CA Root certificate, and I've verified that the certs have not expired, and they can communicate by using:
[root@elkesq01 x-pack]# openssl verify -CAfile snopud-root-ca.cer elkesq01.cer
elkesq01.cer: OK
And on my /var/elasticsearch/elasticsearch.yml file I've verified certain settings including x-pack security settings such as::
network.host: (lists the IP address)
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: "/etc/elasticsearch/x-pack/elkesq01.key"
xpack.security.http.ssl.certificate: "/etc/elasticsearch/x-pack/elkesq01.cer"
xpack.security.http.ssl.certificate_authorities: ["/etc/elasticsearch/x-pack/snopud-root-ca.cer"]
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: "/etc/elasticsearch/x-pack/elkesq01.key"
xpack.security.transport.ssl.certificate: "/etc/elasticsearch/x-pack/elkesq01.cer"
xpack.security.transport.ssl.certificate_authorities: ["/etc/elasticsearch/x-pack/snopud-root-ca.cer"]
xpack.ssl.cipher_suites: [ "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA" ]
The problem is when I try to attempt to install the license using:
curl -XPUT -u elastic 'https://FQDN:9200/_xpack/license' -H "Content-Type: application/json" -d @(license).json
I get this message:
Enter host password for user 'elastic':
curl: (60) Certificate key usage inadequate for attempted operation.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
What are the things I should check on?