PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Scenario:

  • Two single-node clusters (semi-production)
  • Remote cluster configured successfully on both

Cluster Migration

cluster.name: sitelight
node.name: node-0
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: SOME.IP
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/elastic-certificates.p12
  truststore.path: certs/elastic-certificates.p12
cluster.initial_master_nodes: ["elk.domain.tld"]
http.host: 0.0.0.0
path.repo: /mnt/nfs/elasticsearch/cluster01,/mnt/nfs/elasticsearch/cluster02
reindex.remote.whitelist: ["REMOTE.IP:9300", "elk0.domain.tld:9300"]
{
  "elk-cluster": {
    "connected": true,
    "mode": "sniff",
    "seeds": [
      "elk0.PRODUCCTION:9300"
    ],
    "num_nodes_connected": 1,
    "max_connections_per_cluster": 1,
    "initial_connect_timeout": "30s",
    "skip_unavailable": false
  }
}

Production Node

cluster.name: elk-cluster
node.name: node-0
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: SOME.IP
http.port: 9200
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/elastic-certificates.p12
  truststore.path: certs/elastic-certificates.p12
cluster.initial_master_nodes: ["elk0.domain.tld"]
http.host: 0.0.0.0
path.repo: /mnt/nfs/elasticsearch/cluster01
reindex.remote.whitelist: ["REMOTE.IP:9300","elk.domain.tld:9300"]

{
  "sitelight": {
    "connected": true,
    "mode": "sniff",
    "seeds": [
      "elk.SERVER_MIGRATION:9300"
    ],
    "num_nodes_connected": 1,
    "max_connections_per_cluster": 1,
    "initial_connect_timeout": "30s",
    "skip_unavailable": false
  }
}

Certificates were generated with certutil, using a password:

elasticsearch-certutil ca
elasticsearch-certutil cert --ca elastic-stack-ca.p12

In both nodes the passwords were added to the keystore

❯ elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
Enter value for xpack.security.transport.ssl.keystore.secure_password:
❯ elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
Enter value for xpack.security.transport.ssl.truststore.secure_password:
❯ elasticsearch-keystore list
autoconfiguration.password_hash
keystore.seed
xpack.security.http.ssl.keystore.secure_password
xpack.security.transport.ssl.keystore.secure_password
xpack.security.transport.ssl.truststore.secure_password
scp -p elk.domain.tld:/usr/share/elasticsearch/elastic-stack-ca.p12 /usr/share/elasticsearch/
scp -p elk.domain.tld:/etc/elasticsearch/certs/elastic-certificates.p12 /etc/elasticsearch/certs/  

The permissions were adjusted because the creation tool was giving incorrect permissions such as user and group.

Now, when I try to remap on the remote, using

POST _reindex?pretty
{
  "source": {
    "index": "modems-2024061201",  
    "remote": {
      "host": "https://elk..domain.tld:9300",
      "username": "elastic",
      "password": "PaSWoRd_Elastic_user"   
    },
    "query": {
      "match_all": {}  
    }
  },
  "dest": {
    "index": "modems-2024101801" 
  }
}

Add get

{
  "error": {
    "root_cause": [
      {
        "type": "s_s_l_handshake_exception",
        "reason": "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
      }
    ],
    "type": "s_s_l_handshake_exception",
    "reason": "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
    "caused_by": {
      "type": "validator_exception",
      "reason": "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
      "caused_by": {
        "type": "sun_cert_path_builder_exception",
        "reason": "unable to find valid certification path to requested target"
      }
    }
  },
  "status": 500
}

I don't understand what I did wrong following the doc