I'm currently trying to add a new node to an existing cluster but appear to have issues with the certificates. Error log is stating the following.
[2018-04-10T12:08:54,945][WARN ][o.e.x.s.t.n.SecurityNetty4Transport] [es-node1] write and flush on the network layer failed (channel: [id: 0x1e1078a8, L:0.0.0.0/0.0.0.0:45310 ! R:/10.1.1.1:9300]) javax.net.ssl.SSLException: Received fatal alert: certificate_unknown [2018-04-10T12:08:54,952][WARN ][o.e.x.s.t.n.SecurityNetty4Transport] [es-node1] client did not trust this server's certificate, closing connection [id: 0xe317532b, L:0.0.0.0/0.0.0.0:40538 ! R:/10.1.1.1:9300]
The original CA that was used to create the certificates I believe is no longer available. The set of certs on this host were generated using this method.
/usr/share/elasticsearch/bin/x-pack/certgen --days 1095 --cert /etc/elasticsearch/x-pack/ca/ca.crt --key /etc/elasticsearch/x-pack/ca/ca.key --in /etc/elasticsearch/x-pack/ca/es-node1.yml --out es-node1.zip --pass
The ca.key/crt files were taking from one of the existing hosts in the cluster.
I'm now wondering if we need to set a new CA on one of the nodes and regenerate certificates for all of the nodes and deploy those? Currently it appears that the other nodes in the cluster don't trust the certificate that I had generated for this new node.
Is there an easier method here? If its the only way then is this document the best to follow - https://www.elastic.co/blog/tls-elastic-stack-elasticsearch-kibana-logstash-filebeat