Truststore does not contain any trusted certificate entries

I used openssl to generate self signed certs for elasticsearch, but I am unable to use this certs to start elasticsearch.

I keep getting the below error

[2023-07-16T19:42:22,649][ERROR][o.e.b.Elasticsearch      ] 
[MacBook-Pro.local] fatal exception while booting Elasticsearchorg.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - the truststore [/Users/mac/Documents/logging/elasticsearch/config/certs/transport.p12] does not contain any trusted certificate entries
	at org.elasticsearch.xcore@8.8.2/org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:617)
	at java.base/java.util.HashMap.forEach(HashMap.java:1429)
	at java.base/java.util.Collections$UnmodifiableMap.forEach(Collections.java:1553)
	at org.elasticsearch.xcore@8.8.2/org.elasticsearch.xpack.core.ssl.SSLService.loadSslConfigurations(SSLService.java:613)
	at org.elasticsearch.xcore@8.8.2/org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:159)

See logs for more details.

ERROR: Elasticsearch did not exit normally - check the logs at /Users/mac/Documents/logging/elasticsearch/logs/playground-logging.log

I can't figure out the issue for the life of me.

These are the commands I used to generate the certs

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
openssl genrsa -out elasticsearch.key 2048
openssl req -new -key elasticsearch.key -out elasticsearch.csr -config openssl.cnf
openssl x509 -req -in elasticsearch.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out elasticsearch.crt -days 500 -sha256 -extfile elasticsearch.cnf -extensions v3_req

openssl pkcs12 -export -out elasticsearch.p12 -inkey elasticsearch.key -in elasticsearch.crt -certfile rootCA.pem
openssl genrsa -out transport.key 2048
openssl req -new -key transport.key -out transport.csr -config openssl.cnf
openssl x509 -req -in transport.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out transport.crt -days 500 -sha256 -extfile transport.cnf -extensions v3_req
openssl pkcs12 -export -out transport.p12 -inkey transport.key -in transport.crt -certfile rootCA.pem

And my elasticsearch.yml references the generated certs as shown below.

# Enable security features
xpack.security.enabled: true

xpack.security.enrollment.enabled: true

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/elasticsearch.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12

can someone please help me out, I can't figure out what I am doing wrong.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.