We are using the wild card certificate. Hence CRT for node as well as CA is same.
The elasticsearch.yml file is as follows....
cluster.name: cluster_name
node.name: i0861956fda57c7461
path.data: "/data/elasticsearch"
path.logs: "/var/log/elasticsearch"
network.host: 10.50.185.141
node.master: true
node.data: true
node.ingest: true
xpack.security.enabled: 'true'
xpack.security.transport.ssl.enabled: 'true'
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: "/etc/elasticsearch/certs/i0861956fda57c7461.key"
xpack.security.http.ssl.certificate: "/etc/elasticsearch/certs/i0861956fda57c7461.crt"
xpack.security.http.ssl.certificate_authorities: "/etc/elasticsearch/certs/ca.crt"
xpack.security.http.ssl.client_authentication: optional
xpack.security.transport.ssl.key: "/etc/elasticsearch/certs/i0861956fda57c7461.key"
xpack.security.transport.ssl.certificate: "/etc/elasticsearch/certs/i0861956fda57c7461.crt"
xpack.security.transport.ssl.certificate_authorities: "/etc/elasticsearch/certs/ca.crt"
discovery.type: single-node
the node "i0861956fda57c7461.kbdev.net" resolve the IP 10.50.185.141
ON browser " https://i0861956fda57c7461.kbdev.net:9200/_cluster/health works and no SSL error.
Our certs expired on 09/03/2022.
Our Lambda function access the VPC where our node with IP is 10.50.185.141.
Our Lambda function is configure to use "https://i0861956fda57c7461.kbdev.net:9200"
The issue start when we enable the encryption/certs. When we do not have certs then things works without any issue,
Following is the error we see when request were made.
{
"errorType": "ConnectionError",
"errorMessage": "unable to verify the first certificate",
"trace": [
"ConnectionError: unable to verify the first certificate",
" at onResponse (/var/task/node_modules/@elastic/elasticsearch/lib/Transport.js:205:13)",
" at ClientRequest.request.on.err (/var/task/node_modules/@elastic/elasticsearch/lib/Connection.js:98:9)",
" at ClientRequest.emit (events.js:198:13)",
" at ClientRequest.EventEmitter.emit (domain.js:448:20)",
" at TLSSocket.socketErrorListener (_http_client.js:401:9)",
" at TLSSocket.emit (events.js:198:13)",
" at TLSSocket.EventEmitter.emit (domain.js:448:20)",
" at emitErrorNT (internal/streams/destroy.js:91:8)",
" at emitErrorAndCloseNT (internal/streams/destroy.js:59:3)",
" at process._tickCallback (internal/process/next_tick.js:63:19)"
]
}
Appreciate any help to resolve the "unable to verify the first certificate"
ca.crt is having the certificate provider cert in our case is GoDaddy-gd_bundle-g2-g1.crt
node cert is our server cert provided by GoDaddy
node key is the key use to create the node crt.