I've a four-node es cluster with 3 data/master-eligible nodes and 1 coordinating-only node. I've installed x-pack on all of them. But, configuring the TLS part is where I'm lost. I'm following:
But, when I try to bring up two nodes (one master and coordinating only) node, I see the below errors (only important lines) on the coordinating-only node:
[2017-11-24T12:51:27,464][WARN ][o.e.x.s.t.n.SecurityNetty4Transport] [elk03-pco] client did not trust this server's certificate, closing connection [id: 0xd9c0adbb, L:0.0.0.0/0.0.0.0:59676 ! R:elk01-pco/10.12.193.204:9300]
[2017-11-24T12:51:28,104][WARN ][o.e.x.s.t.n.SecurityNetty4Transport] [elk03-pco] client did not trust this server's certificate, closing connection [id: 0x1454006e, L:0.0.0.0/0.0.0.0:9300 ! R:/10.12.193.204:36428]
[2017-11-24T12:51:28,464][WARN ][o.e.x.s.t.n.SecurityNetty4Transport] [elk03-pco] write and flush on the network layer failed (channel: [id: 0x02e99be2, L:0.0.0.0/0.0.0.0:59680 ! R:elk01-pco/10.12.193.204:9300])
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown ( [elk03-pco] - coordinating-only node, [elk01-pco] - master-eligible node)
I think it has something to do with certificate generation and copying it over to the other nodes. But, I'm not clear as to how to do it. Please let me know.
You're going to need to show us your configuration file.
Otherwise all is can do is point you to the same instructions that you've already tried.
It looks like you didn't setup your certificate authorities correctly, but I'm just guessing unless you can provide specific details on what you've done.
Yes, the CA part is which I am not sure about. I ran step (5) from docs on both the servers, generating a set of four files (certs and keys) using certgen. Do I have to copy over certs of a single node need to be copied over to the rest of others in the cluster?
Below is the current configuration file on both servers:
That sounds like the problem.
You need to run certgen once only and then copy files to each of your nodes.
If you run it on each server, then the nodes will have different CAs and won't trust each other.
You need to run certgen on one server, and give it the names and addresses for each of your nodes.
Certgen will ask for the name of your first node, and it's IP address and DNS name, and then it will ask if you have another instance. Keep answering "yes" until you have described all of your nodes.
Then the zip file that is generated will have a certificate and key for each node. You copy the corresponding {node}/{node}.crt, {node}/{node}.key and ca/ca.crt to every server.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.