TLS not working with x-pack for es cluster

Elastic Stack Elasticsearch
1

Hi,

I've a four-node es cluster with 3 data/master-eligible nodes and 1 coordinating-only node. I've installed x-pack on all of them. But, configuring the TLS part is where I'm lost. I'm following:

https://www.elastic.co/guide/en/elasticsearch/reference/6.0/installing-xpack-es.html
https://www.elastic.co/guide/en/x-pack/current/setting-up-authentication.html

But, when I try to bring up two nodes (one master and coordinating only) node, I see the below errors (only important lines) on the coordinating-only node:

[2017-11-24T12:51:27,464][WARN ][o.e.x.s.t.n.SecurityNetty4Transport] [elk03-pco] client did not trust this server's certificate, closing connection [id: 0xd9c0adbb, L:0.0.0.0/0.0.0.0:59676 ! R:elk01-pco/10.12.193.204:9300]
[2017-11-24T12:51:28,104][WARN ][o.e.x.s.t.n.SecurityNetty4Transport] [elk03-pco] client did not trust this server's certificate, closing connection [id: 0x1454006e, L:0.0.0.0/0.0.0.0:9300 ! R:/10.12.193.204:36428]
[2017-11-24T12:51:28,464][WARN ][o.e.x.s.t.n.SecurityNetty4Transport] [elk03-pco] write and flush on the network layer failed (channel: [id: 0x02e99be2, L:0.0.0.0/0.0.0.0:59680 ! R:elk01-pco/10.12.193.204:9300])
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown ( [elk03-pco] - coordinating-only node, [elk01-pco] - master-eligible node)

I think it has something to do with certificate generation and copying it over to the other nodes. But, I'm not clear as to how to do it. Please let me know.

2

I moved the question to #x-pack

3

You're going to need to show us your configuration file.

Otherwise all is can do is point you to the same instructions that you've already tried.

It looks like you didn't setup your certificate authorities correctly, but I'm just guessing unless you can provide specific details on what you've done.

4

Yes, the CA part is which I am not sure about. I ran step (5) from docs on both the servers, generating a set of four files (certs and keys) using certgen. Do I have to copy over certs of a single node need to be copied over to the rest of others in the cluster?

Below is the current configuration file on both servers:

xpack.ssl.key: certs/${node.name}/${node.name}.key
xpack.ssl.certificate: certs/${node.name}/${node.name}.crt
xpack.ssl.certificate_authorities: certs/ca/ca.crt
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.enabled: true
5

Yes, they need to be on every node in the cluster.

6

That sounds like the problem.
You need to run certgen once only and then copy files to each of your nodes.
If you run it on each server, then the nodes will have different CAs and won't trust each other.

7

ok, yea, this is where I'm unsure. So, I ran certgen on the data/master-eligible server and below are the four files:

unzip certificate-bundle.zip 
Archive:  certificate-bundle.zip
   creating: ca/
  inflating: ca/ca.crt               
  inflating: ca/ca.key               
   creating: elk01/
  inflating: elk01/elk01.crt  
  inflating: elk01/elk01.key

where elk01 is the name of node. Which ones need to go on to the other servers?

8

You need to run certgen on one server, and give it the names and addresses for each of your nodes.
Certgen will ask for the name of your first node, and it's IP address and DNS name, and then it will ask if you have another instance. Keep answering "yes" until you have described all of your nodes.
Then the zip file that is generated will have a certificate and key for each node. You copy the corresponding {node}/{node}.crt, {node}/{node}.key and ca/ca.crt to every server.

1 Like
9

@TimV, thanks! That really helped.

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.