SSLHandshakeException: no cipher suites in common

anon17386273 · June 3, 2019, 10:07am

https://www.elastic.co/guide/en/elasticsearch/reference/7.1/configuring-tls.html#node-certificates

Hi, I have a 3 node cluster, trying to setup the TLS security using the link above.

Without enabling the below configs, the cluster is able to discover each other

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.keystore.path: /opt/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /opt/elasticsearch/config/elastic-certificates.p12

After enabling, all 3 nodes complain: "SSLHandshakeException: no cipher suites in common"

These are the steps that i did on each node

generate cert using elasticsearch-certutil, placed them in config folder
add the 4 lines of xpack command into elasticsearch.yml

Anyone know what does this mean?

ikakavas · June 3, 2019, 3:49pm

The error message means that a client in a TLS handshake couldn't agree on a mutually supported cipher suite. This can be misleading , as it can also happen in the context of Java when one of the two is configured with no available keys for TLS.

Can you share with us:

The exact command that you used to create the PKCS#12 files
The output of openssl -in /opt/elasticsearch/config/elastic-certificates.p12 -info
The logs ( The exception stacktraces ) from a couple of your nodes.

anon17386273 · June 4, 2019, 2:56am

command ran on all 3 nodes
/opt/elasticsearch/bin/elasticsearch-certutil cert --out /opt/elasticsearch/config/elastic-certificates.p12 --pass ""

I can't generate any output from command openssl -in /opt/elasticsearch/config/elastic-certificates.p12 -info. Do you need all three nodes?

TimV · June 4, 2019, 3:34am

I cannot explain why you are getting a cipher suites error, but the problem here is that you ran that command on each node.

You skipped step 1 which creates a single CA for your cluster. Because you didn't do that step the /opt/elasticsearch/bin/elasticsearch-certutil cert command generated a new CA each time you ran it, which will not work.

If you are going to use /opt/elasticsearch/bin/elasticsearch-certutil cert without first generating a CA, then you need to run it once and then copy that certificate keystore to each node.

anon17386273 · June 4, 2019, 6:05am

Hi Tim

Thanks for replying. I have included the step to generate one CA, transfer the CA to all three nodes and ran the following command:
/opt/elasticsearch/bin/elasticsearch-certutil cert --ca /etc/elasticsearch/elastic-stack-ca.p12 --ca-pass "" --out /opt/elasticsearch/config/elastic-certificates.p12 --pass ""

Sadly, after restarting all 3 nodes, they were still complain: "SSLHandshakeException: no cipher suites in common"

TimV · June 4, 2019, 6:21am

Can you provide the complete error message from the log, including the stack trace please.

Topic		Replies	Views
Eroor setting up SSL on multi node ES cluster - no cipher suites in common Elasticsearch elastic-stack-security	1	1746	July 6, 2017
SSL certificate error - no cipher suites in common Elasticsearch elastic-stack-security	8	20459	July 6, 2017
SSL - "no cipher suites in common" Elasticsearch elastic-stack-security	3	5347	July 6, 2017
Add a new Elasticsearch to TLS/SSL cluster Elasticsearch	4	609	November 22, 2023
TLS Certificate Issue on Elastic cluster Elasticsearch elastic-stack-security	13	7965	July 1, 2019

SSLHandshakeException: no cipher suites in common

Related topics