OK, Now that you've provided the top half of the error stack trace, it's much clearer.
This is caused by your web browser.
Your browser is not configured to trust the Certificate Authority that your elasticsearch node is using. That is totally normal, certgen
is unable to directly generate certificates that browsers trust by default - for that you need to generate a Certificate Signing Request (which certgen can do) and send it off to a public CA.
When the browser encounters a certificate that it doesn't trust, it sends an error response to the server and closes the connection. Elasticsearch reports that error in the logs.
There are a bunch of solutions, but the right solution depends on your environment, and given the nature of these sort of security decisions, I can't really advise you on which is the right choice for your needs. But the options are:
- Generate a Certificate Signing Request (CSR) and send it to a trusted public CA. Some CAs will charge you for this, some are free, but you need to be able to prove that you are responsible for the domain that you are using for your server hostname.
- Generate a Certificate Signing Request (CSR) and send it to an internal trusted CA. Many large organisations run their own internal CA for use on their network, and install that CA into the browser/OS trust store as part of their standard desktop environment.
- Add your elasticsearch (certgen generated) CA to your browser/OS trust store. The instructions vary by OS and browser, but you can find tutorials on the internet. For personal use this is usually OK (though it does have security implications), but if you want others to be able to access your server, then it's probably not a long term viable option.
- Add a temporary or permanent exception for this certificate in your browser. The instructions vary by browser, and some browsers make it easier than other. You should be able to find instructions on the internet. For personal use this is usually OK, but if you want others to be able to access your server, then it's probably not a long term viable option.
- Don't worry about browser access. Elasticsearch isn't really intended to be accessed directly from a web browser, so if you're just trying to do this for testing you can use something like
curl
instead that has simpler options for handling CA trust. - Don't run SSL/TLS on the HTTP interface. It's good if you can do it, but as you've found it can also be tricky to get working.