Hey, sorry this got missed from the breaking changes. We had a few improvements to the validation of SSL configuration, and this particular one got missed from the docs.
In your case, it looks like the old configuration worked by accident, because you're actually using the ca
file as your keystore & truststore which is not what the docs advise, and it typically indicates an error in configuration.
In your case it looks like it worked (well enough) in 7.x, but in most case that sort of configuration would lead to additional, hard to diagnose errors. The change in 8.0 is designed to catch those errors earlier.
There's a couple of ways to solve this.
1. Extract the CA into a separate file and use that
keytool
can extract the existing CA cert in PEM format for you, it would be something like:
keytool -exportcert -keystore elastic-stack-ca.p12 -storepass "" \
-alias "ca" -rfc > elastic-stack-ca.pem
If your keystore has a password on it, then you will need to enter it in place of the quotes in -storepass ""
.
Then you can set
xpack.security.transport.ssl.certificate_authorities: elastic-stack-ca.pem
in your elasticsearch.yml
That will give you the same behaviour you had in ES7, although as I mentioned above, I think you've made a mistake in your configuration.
2. Stop using the CA file as your server cert
I would recommend that you fix up the problem with your nodes, rather than try and work around it.
It look like you're using a CA as the server certificate, which isn't ideal, and it's what the documentation guides you to do.
Typically you would use elasticsearch-certutil
to create a CA (as you have done) and then use that CA to generate one or more server certificates for use in your nodes. If you follow those steps then the file you end up with is usable as a keystore
and a truststore
, while the CA file is not.
In these instructions: Set up basic security for the Elastic Stack | Elasticsearch Guide [8.0] | Elastic, under the Generate the certificate authority section, it looks like you did step 1 (elastic-stack-ca.p12
) but not step 2 (elastic-certificates.p12
)
So, then when you got to the Encrypt internode communications with TLS section, you used the
elastic-stack-ca.p12
file in place of the elastic-certificates.p12
file.
I would recommend going back through those instructions and working out where you went wrong, so you can switch over to using elastic-certificates.p12
instead.