Need help in - TLS in elastic cluster settings

security

(Siva) #1

I am setting up a three node cluster currently, Got it working successfully without security, which I am trying currently,

From the organization I got a signed certificate on the DNS name which is load balanced externally on all three nodes. After signing I have a dns cert (with SAN updated on all three host names), intermediate cert and a root cert.

And below is my configuration on elasticsearch.yml,

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /apps/elasticsearch/certs/node01-cert.key
xpack.security.transport.ssl.certificate: /apps/elasticsearch/certs/node01-cert.cer
xpack.security.transport.ssl.certificate_authorities: [ "/apps/elasticsearch/certs/root-cert.cer" ]

When I start the cluster I am getting below error,

[2018-11-28T16:37:39,298][WARN ][o.e.x.s.t.n.SecurityNetty4ServerTransport] [node01] client did not trust this server's certificate, closing connection NettyTcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/1.1.1.1:43166}

Can you please help in understanding against which root cert this is verified against, or any other guidance ...

Note: I do not have the CA bundle from the company

Thanks in advance.

Thanks,
Sivakumar


(Tim Vernum) #2

remoteAddress=/1.1.1.1:43166

You need to check logs from whatever is on 1.1.1.1 (I assume another node in your cluster).
The problem is on that node

client did not trust this server's certificate

and those logs will give you more indication about why.