SSL between elasticsearch nodes fails


I've deployed a 3 nodes elasticsearch 5.0 cluster and the x-pack 5.0 plugin.

I've created 3 ssl certificates client-server with the same CA and added this lines elasticsearch.yml file :

  • xpack.ssl.key: /etc/elasticsearch/x-pack/cert.key
  • xpack.ssl.certificate: /etc/elasticsearch/x-pack/cert.crt
  • xpack.ssl.certificate_authorities: [ "/etc/elasticsearch/x-pack/ca.crt" ]
  • true

When i start elasticsearch, i have the following error :

Caused by: Extended key usage does not permit use for TLS client authentication
	at ~[?:?]
	at ~[?:?]
	at ~[?:?]
	at ~[?:?]
	at ~[?:?]
	at ~[?:?]
	at org.elasticsearch.xpack.ssl.SSLService$ReloadableTrustManager.checkClientTrusted( ~[?:?]
	at ~[?:?]
	at ~[?:?]
	at ~[?:?]
	at$ ~[?:?]
	at$ ~[?:?]
	at Method) ~[?:1.8.0_112]
	at$ ~[?:?]
	at io.netty.handler.ssl.SslHandler.runDelegatedTasks( ~[?:?]
	at io.netty.handler.ssl.SslHandler.unwrap( ~[?:?]
	at io.netty.handler.ssl.SslHandler.decode( ~[?:?]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode( ~[?:?]
	... 15 more

elasticsearch says my certificate is not a client-server certificate, but openssl confirms it is a client-server certificate :
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:

Can you help me ?


Problem solved :slight_smile:

One certificate node was just a server certificate. I replaced it and the cluster started normally.

(CJ Cenizal) #3

Glad you were able to figure it out! Thanks for posting your solution.


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.