I configured 2 node es cluster with the TLS security section in es yml file using certificates in PKCS#12 format, native realm by default, basic license, elasticsearch-7.8.0-linux-86_64.tar.gz, RHEL 5.11.
Used command with no password:
bin/elasticsearch-certutil cert -out config/certs/elastic-certificates.p12 -pass ""
I placed generated file elastic-certificates.p12 on 2 nodes in config/certs/, so it is not host/node specific.
xpack.security.transport.ssl.supported_protocols: [ "TLSv1.2", "TLSv1.1", "TLSv1"]
Created custom role, assigned privileges to it; created custom user estester with estester_pwd, assigned the role to the user;
Testing TLS only use case - With the commented out the SSL section in config file (testing TLS only) I was able to successfully test the cluster with the curl command like
curl -u estester:estester_pwd -XGET "http://host:port/_cluster/health?pretty"
Testing TLS/SSL use case - After then I uncommented the SSL section in config file (to test SSL), restarted nodes
curl -u estester:estester_pwd -XGET "https://host:port/_cluster/health?pretty"
... io.netty..handler.codec..DecoderException: javax.net.ssl.SSLException: Received fatal alert: uncnown.ca
Response on console:
SSL certificate problem, verify that the CA cert is ok. Details: error : SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). The default bundle is named curl-ca-bundle.crt; you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
Any advise how this might be fixed ?
What curl command might be used to test SSL on the cluster in my use case?
Is there any command to convert passwordless elastic-certificates.p12 from PKCS#12 into PEM format ?
Thanks in advance