SOLVED : Multiple ES instances with SSL


I have multiple instances of Elasticsearch on the same server.

I have signed my certificate with my own CA. i have created on keystore by ES instance, and in this keystore i have the root certificate, my private key, and may signed certificate.

I also had to copy the shield directory on each ES instance and make sure it had the propers rights and owner.

when i start my node i have the following error:

[2016-03-24 15:37:28,412][ERROR][shield.transport.netty ] [uat-node01] SSL/TLS handshake failed, closing channel: General SSLEngine problem

Somebody have an idea ?

Is there a caused by exception in the stacktrace? The general problem could mean a lot of different things and usually the root cause is much more helpful.

Hi have the same problem posted some day ago .. Did you solve?

Unfortunatly not, after many attempt we had abandoned the idea to intergrate shield with our multiple instance architecture.

But if you find one solution please share :slight_smile:


I will play next days with it according to my spare time ..



Hi Clement,

If you provide more details we would be more than happy to try to help.


Hi Jay,

We juste try to install shield following your documentation (part installing shield), We had plan to use native user authentification in a first time.
Then we created an user.

And after all these steps, we had no restriction to access to our cluster. So we try to search during 3 days and the next weeks we decides to stop the installation of shield for the moment.

I have uninstall shield for the moment but when i will have a little time i could retry the installation and share our issues with you.


Are you using a license already, maybe for Marvel? If so and it is a basic license, shield will not protect the cluster. You can request a trial license extension from

I already use a trial license. Maybe too old ?

Hmm I am not sure. You can check the status by issuing a GET on /_license

Okay my license is not trial :sweat_smile:

"status": "active", "type": "basic",

I sent an email to the address you gave me.
When i will have the trial license i will retry to install shield and i will tell you if its work or not.

thanks for your help :smile:


I try again to install shield.

I update the license, and i have done all the first stap of the installation.

I still have a problem of authentication.

{"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [es_admin] for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}}],"type":"security_exception","reason":"unable to authenticate user [es_admin] for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}},"status":401}

I think shield can't work with multi ES node on the same server by default.

My architecture is composed of 3 servers. There are 4 nodes on each servers.

The error occurred when i create the es_admin user on my second server.

After another attempt to install shield.

I can say that the error is not because of my multiple node.

The error appeared after the shield installation.

Hi Clement,

Can you provide more details about both installations? (multiple node and single node). This includes versions, how you installed (rpm/deb/tar/zip), custom configuration path, etc


Thank you for the answer Jay,

I have 3 servers, the OS is CentOS 7 (v 7.2.1511).

Each server contains 4 nodes ES (v 2.2.0). 1 node is a client node, 1 node is a master node and the two others are data nodes. Each server contains also 1 redis-server (v2.8.19), logstash (v 2.2.0) and Kibana (v 4.4.0). I use keepalived to provide loadbalancing.

So i have 3 client nodes, 3 master nodes and 6 data nodes.

I installed my nodes with rpm.

For Elasticsearch the rpm commande create the directory "/etc/elasticsearch". I copied this directory in multiple directory to create each node.

To start each nodes separately, i copied the original systemd file to create 4 systemd files for each node in "/usr/lib/systemd/system/". And i changed paths to point to the correct node configuration files.

I also copied the "/etc/sysconfig/elasticsearch" file in 4 files, one for each node. And i changed the different path to point to the correct node configuration directory.


Ok. The shield esusers script requires an option to be specified in this type of installation so that it places the files in the proper directory.

bin/shield/esusers useradd admin -r admin --path.conf=/path/to/configuration/directory

You can either run this command for each node config directory or manually copy the users and users_roles files

Thanks it's work for me :grinning:

Thank you for your time.

1 Like