I used openssl to generate self signed certs for elasticsearch, but I am unable to use this certs to start elasticsearch.
I keep getting the below error
[2023-07-16T19:42:22,649][ERROR][o.e.b.Elasticsearch ]
[MacBook-Pro.local] fatal exception while booting Elasticsearchorg.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - the truststore [/Users/mac/Documents/logging/elasticsearch/config/certs/transport.p12] does not contain any trusted certificate entries
at org.elasticsearch.xcore@8.8.2/org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:617)
at java.base/java.util.HashMap.forEach(HashMap.java:1429)
at java.base/java.util.Collections$UnmodifiableMap.forEach(Collections.java:1553)
at org.elasticsearch.xcore@8.8.2/org.elasticsearch.xpack.core.ssl.SSLService.loadSslConfigurations(SSLService.java:613)
at org.elasticsearch.xcore@8.8.2/org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:159)
See logs for more details.
ERROR: Elasticsearch did not exit normally - check the logs at /Users/mac/Documents/logging/elasticsearch/logs/playground-logging.log
I can't figure out the issue for the life of me.
These are the commands I used to generate the certs
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
openssl genrsa -out elasticsearch.key 2048
openssl req -new -key elasticsearch.key -out elasticsearch.csr -config openssl.cnf
openssl x509 -req -in elasticsearch.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out elasticsearch.crt -days 500 -sha256 -extfile elasticsearch.cnf -extensions v3_req
openssl pkcs12 -export -out elasticsearch.p12 -inkey elasticsearch.key -in elasticsearch.crt -certfile rootCA.pem
openssl genrsa -out transport.key 2048
openssl req -new -key transport.key -out transport.csr -config openssl.cnf
openssl x509 -req -in transport.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out transport.crt -days 500 -sha256 -extfile transport.cnf -extensions v3_req
openssl pkcs12 -export -out transport.p12 -inkey transport.key -in transport.crt -certfile rootCA.pem
And my elasticsearch.yml references the generated certs as shown below.
# Enable security features
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
enabled: true
keystore.path: certs/elasticsearch.p12
# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
can someone please help me out, I can't figure out what I am doing wrong.