SSLHandshakeException: no cipher suites in common

https://www.elastic.co/guide/en/elasticsearch/reference/7.1/configuring-tls.html#node-certificates

Hi, I have a 3 node cluster, trying to setup the TLS security using the link above.

Without enabling the below configs, the cluster is able to discover each other

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.keystore.path: /opt/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /opt/elasticsearch/config/elastic-certificates.p12

After enabling, all 3 nodes complain: "SSLHandshakeException: no cipher suites in common"

These are the steps that i did on each node

  1. generate cert using elasticsearch-certutil, placed them in config folder
  2. add the 4 lines of xpack command into elasticsearch.yml

Anyone know what does this mean?

The error message means that a client in a TLS handshake couldn't agree on a mutually supported cipher suite. This can be misleading , as it can also happen in the context of Java when one of the two is configured with no available keys for TLS.

Can you share with us:

  • The exact command that you used to create the PKCS#12 files
  • The output of openssl -in /opt/elasticsearch/config/elastic-certificates.p12 -info
  • The logs ( The exception stacktraces ) from a couple of your nodes.

command ran on all 3 nodes
/opt/elasticsearch/bin/elasticsearch-certutil cert --out /opt/elasticsearch/config/elastic-certificates.p12 --pass ""

I can't generate any output from command openssl -in /opt/elasticsearch/config/elastic-certificates.p12 -info. Do you need all three nodes?

I cannot explain why you are getting a cipher suites error, but the problem here is that you ran that command on each node.

You skipped step 1 which creates a single CA for your cluster. Because you didn't do that step the /opt/elasticsearch/bin/elasticsearch-certutil cert command generated a new CA each time you ran it, which will not work.

If you are going to use /opt/elasticsearch/bin/elasticsearch-certutil cert without first generating a CA, then you need to run it once and then copy that certificate keystore to each node.

Hi Tim

Thanks for replying. I have included the step to generate one CA, transfer the CA to all three nodes and ran the following command:
/opt/elasticsearch/bin/elasticsearch-certutil cert --ca /etc/elasticsearch/elastic-stack-ca.p12 --ca-pass "" --out /opt/elasticsearch/config/elastic-certificates.p12 --pass ""

Sadly, after restarting all 3 nodes, they were still complain: "SSLHandshakeException: no cipher suites in common"

Can you provide the complete error message from the log, including the stack trace please.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.