SSL Handshake Exception: Empty Client Certificate Chain

Hello,

I’m currently working on a task to test a secure connection between Archiving and Elasticsearch.
Following the command:
curl -k https://<ip>:<port>/_security/_authenticate

However, I’m encountering an issue with the SSL/TLS handshake. The error message I’m getting is javax.net.ssl.SSLHandshakeException: Empty client certificate chain.

Here’s my Elasticsearch configuration related to SSL:

# Transport layer SSL configuration
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.http.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/node1.p12
xpack.security.transport.ssl.certificate_authorities: certs/ca.pem

# HTTP layer SSL configuration
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.client_authentication: required
xpack.security.http.ssl.keystore.path: certs/node1.p12
xpack.security.http.ssl.truststore.path: certs/client.p12

I’ve checked the contents of my keystore (certs/node1.p12) and truststore (certs/client.p12) using the keytool -list command, and they seem to be correctly configured. The keystore contains the client certificate along with its private key, and all intermediate certificates (if any) are included. The truststore contains the root certificate. The certificates are in X.509 format.

Despite this, I’m still encountering the Empty client certificate chain error. I would appreciate any guidance on how to resolve this issue. Could there be some other configuration problem that I’m overlooking? Or could there be a problem with the certificates themselves (e.g., they might not be trusted by the other party, they might be expired, etc.)?

Thank you in advance for your help!

The above setting sets SSL client authentication to required.
That is, you have instructed Elasticsearch to reject any connection attempt from a client that cannot provide a client certificate.

However, this

does not provide a client certificate. If you want curl to provide a client certificate then you need to instruct it to do so (-E or --cert) .