Unable to configure 'x-pack-security' under basic license

asad_ali · August 7, 2019, 12:22pm

I'm using ELK 7.1 , I want to configure basic authentication. So far I have performed the following:-

curl -u elastic:change http://127.0.0.1:9200/_security/_authenticate?pretty

{
  "error" : {
    "root_cause" : [
      {
        "type" : "exception",
        "reason" : "Security must be explicitly enabled when using a [basic] license. Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file and restart the node."
      }
    ],
    "type" : "exception",
    "reason" : "Security must be explicitly enabled when using a [basic] license. Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file and restart the node."
  },
  "status" : 500
}

When I enable it under "elasticsearch.yml" I get error and cannot start service

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: /root/elasticsearch-7.1.1/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /root/elasticsearch-7.1.1/elastic-certificates.p12

ava.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.core.XPackPlugin]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:614) ~[elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:163) ~[elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.node.Node.(Node.java:308) ~[elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.node.Node.(Node.java:252) ~[elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:211) ~[elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:211) ~[elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:325) [elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) [elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) [elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) [elasticsearch-cli-7.1.1.jar:7.1.1]
at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-7.1.1.jar:7.1.1]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115) [elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-7.1.1.jar:7.1.1]
Caused by: java.lang.reflect.InvocationTargetException
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.1.1.jar:7.1.1]
... 15 more
Caused by: java.lang.IllegalArgumentException: could not resolve verification mode. unknown value [/root/elasticsearch-7.1.1/elastic-certificates.p12]
at org.elasticsearch.xpack.core.ssl.VerificationMode.parse(VerificationMode.java:68) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings.lambda$static$34(SSLConfigurationSettings.java:204) ~[?:?]
at org.elasticsearch.common.settings.Setting.get(Setting.java:412) ~[elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.common.settings.Setting.get(Setting.java:406) ~[elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.xpack.core.ssl.SSLConfiguration.createCertChainTrustConfig(SSLConfiguration.java:184) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLConfiguration.createTrustConfig(SSLConfiguration.java:170) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLConfiguration.(SSLConfiguration.java:50) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:430) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.(SSLService.java:119) ~[?:?]
at org.elasticsearch.xpack.core.XPackPlugin.(XPackPlugin.java:144) ~[?:?]
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.1.1.jar:7.1.1]
... 15 more
[2019-08-07T12:14:05,163][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler]

elasticsearch-plugin install x-pack
ERROR: this distribution of Elasticsearch contains X-Pack by default

elasticsearch-plugin list

return empty result.

Bernt_Rostad · August 7, 2019, 1:01pm

This looks wrong. According to the official documentation for ES 7.1:

ssl.verification_mode

Indicates the type of verification when using ldaps to protect against man in the middle attacks and certificate forgery. Values are none , certificate , and full . Defaults to full .

If you're not using LDAP i suggest removing the verification_mode from your elasticsearch.yml file, else set it to the default (full) value.

If you haven't done so, you may want to add xpack.security.transport.ssl.keystore.path to elasticsearch.yml to identify your SSL keystore.

asad_ali · August 7, 2019, 7:02pm

Thanks,
Now i'm getting

java.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.core.XPackPlugin]
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:614) ~[elasticsearch-7.1.1.jar:7.1.1]
        at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-7.1.1.jar:7.1.1]
        at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-7.1.1.jar:7.1.1]
        at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:163) ~[elasticsearch-7.1.1.jar:7.1.1]
        at org.elasticsearch.node.Node.<init>(Node.java:308) ~[elasticsearch-7.1.1.jar:7.1.1]
        at org.elasticsearch.node.Node.<init>(Node.java:252) ~[elasticsearch-7.1.1.jar:7.1.1]
        at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:211) ~[elasticsearch-7.1.1.jar:7.1.1]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:211) ~[elasticsearch-7.1.1.jar:7.1.1]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:325) [elasticsearch-7.1.1.jar:7.1.1]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) [elasticsearch-7.1.1.jar:7.1.1]
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) [elasticsearch-7.1.1.jar:7.1.1]
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-7.1.1.jar:7.1.1]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) [elasticsearch-cli-7.1.1.jar:7.1.1]
        at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-7.1.1.jar:7.1.1]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115) [elasticsearch-7.1.1.jar:7.1.1]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-7.1.1.jar:7.1.1]
Caused by: java.lang.reflect.InvocationTargetException
        at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
        at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.1.1.jar:7.1.1]
        ... 15 more
Caused by: org.elasticsearch.ElasticsearchException: failed to initialize a TrustManagerFactory
        at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:61) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:382) ~[?:?]
        at java.util.HashMap.computeIfAbsent(HashMap.java:1133) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:434) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:119) ~[?:?]
        at org.elasticsearch.xpack.core.XPackPlugin.<init>(XPackPlugin.java:144) ~[?:?]
        at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
        at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.1.1.jar:7.1.1]
        ... 15 more
Caused by: java.io.IOException: keystore password was incorrect
        at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2117) ~[?:?]
        at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222) ~[?:?]
        at java.security.KeyStore.load(KeyStore.java:1472) ~[?:?]


xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
#xpack.security.transport.ssl.verification_mode: /root/elasticsearch-7.1.1/elastic-certificates.p12
xpack.security.transport.ssl.keystore.path: /root/elasticsearch-7.1.1/config/certifcate_v1/certifcate/wildcard_inboxbiz_com.pfx
xpack.security.transport.ssl.truststore.path: /root/elasticsearch-7.1.1/config/certifcate_v1/certifcate/wildcard_inboxbiz_com.pfx

The pfx password i verify mannual through openssl export command and it works, but same password i entered using

bin/elasticsearch-keystore add xpack.ssl.keystore.secure_password

Exception in thread "main" java.nio.file.AccessDeniedException: /root/elasticsearch-7.1.1/config/elasticsearch.keystore
at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116)
at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:219)
at java.base/java.nio.file.Files.newByteChannel(Files.java:373)
at java.base/java.nio.file.Files.newByteChannel(Files.java:424)
at org.apache.lucene.store.SimpleFSDirectory.openInput(SimpleFSDirectory.java:77)
at org.elasticsearch.common.settings.KeyStoreWrapper.load(KeyStoreWrapper.java:206)
at org.elasticsearch.common.settings.AddStringKeyStoreCommand.execute(AddStringKeyStoreCommand.java:59)
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:77)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.Command.main(Command.java:90)
at org.elasticsearch.common.settings.KeyStoreCli.main(KeyStoreCli.java:41)

first i run bin/elasticsearch-keystore add xpack.ssl.keystore.secure_password using root it didn't give any error, but now i run it as non-root i gives above error.

asad_ali · August 7, 2019, 9:31pm

Kibanna stdout logs show as
{"type":"error","@timestamp":"2019-08-07T21:27:38Z","tags":["connection","client","error"],"pid":19741,"level":"error","error":{"message":"140008556844864:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 46\n","name":"Error","stack":"Error: 140008556844864:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 46\n"},"message":"140008556844864:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 46\n"}
{"type":"log","@timestamp":"2019-08-07T21:27:38Z","tags":["error","task_manager"],"pid":19741,"message":"Failed to poll for work: Error: No Living connections"}
{"type":"error","@timestamp":"2019-08-07T21:27:39Z","tags":["connection","client","error"],"pid":19741,"level":"error","error":{"message":"140008556844864:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 46\n","name":"Error","stack":"Error: 140008556844864:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 46\n"},"message":"140008556844864:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 46\n"}
{"type":"error","@timestamp":"2019-08-07T21:27:39Z","tags":["connection","client","error"],"pid":19741,"level":"error","error":{"message":"140008556844864:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 46\n","name":"Error","stack":"Error: 140008556844864:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 46\n"},"message":"140008556844864:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 46\n"}

asad_ali · August 7, 2019, 10:41pm

Latest I change the setting for .pem format certificate

xpack.security.enabled: true
#xpack.security.transport.ssl.enabled: true
#xpack.security.transport.ssl.verification_mode: certificate
#xpack.security.transport.ssl.keystore.path: /root/elasticsearch-7.1.1/config/cert/wildcard_inboxbiz_com.pfx
#xpack.security.transport.ssl.truststore.path: /root/elasticsearch-7.1.1/config/cert/wildcard_inboxbiz_com.pfx
xpack.security.http.ssl.key: /root/elasticsearch-7.1.1/config/cert/wildcard_inboxbiz_com.key
xpack.security.http.ssl.certificate: /root/elasticsearch-7.1.1/config/cert/wildcard_inboxbiz_com.crt
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true

now error i get is
[2019-08-07T22:31:16,833][WARN ][o.e.d.SeedHostsResolver ] [illumni8] failed to resolve host [host1]
java.net.UnknownHostException: host1: Temporary failure in name resolution
at java.net.Inet4AddressImpl.lookupAllHostAddr(Native Method) ~[?:?]
at java.net.InetAddress$PlatformNameService.lookupAllHostAddr(InetAddress.java:929) ~[?:?]
at java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1515) ~[?:?]
at java.net.InetAddress$NameServiceAddresses.get(InetAddress.java:848) ~[?:?]
at java.net.InetAddress.getAllByName0(InetAddress.java:1505) ~[?:?]
at java.net.InetAddress.getAllByName(InetAddress.java:1364) ~[?:?]
at java.net.InetAddress.getAllByName(InetAddress.java:1298) ~[?:?]
at org.elasticsearch.transport.TcpTransport.parse(TcpTransport.java:536) ~[elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.transport.TcpTransport.addressesFromString(TcpTransport.java:489) ~[elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.transport.TransportService.addressesFromString(TransportService.java:744) ~[elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.discovery.SeedHostsResolver.lambda$resolveHostsLists$0(SeedHostsResolver.java:143) ~[elasticsearch-7.1.1.jar:7.1.1]
at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:681) ~[elasticsearch-7.1.1.jar:7.1.1]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at java.lang.Thread.run(Thread.java:835) [?:?]
[2019-08-07T22:31:16,844][WARN ][o.e.d.SeedHostsResolver ] [illumni8] failed to resolve host [host2]
java.net.UnknownHostException: host2: Temporary failure in name resolution
at java.net.Inet4AddressImpl.lookupAllHostAddr(Native Method) ~[?:?]
at java.net.InetAddress$PlatformNameService.lookupAllHostAddr(InetAddress.java:929) ~[?:?]
at java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1515) ~[?:?]
at java.net.InetAddress$NameServiceAddresses.get(InetAddress.java:848) ~[?:?]
at java.net.InetAddress.getAllByName0(InetAddress.java:1505) ~[?:?]
at java.net.InetAddress.getAllByName(InetAddress.java:1364) ~[?:?]
at java.net.InetAddress.getAllByName(InetAddress.java:1298) ~[?:?]
at org.elasticsearch.transport.TcpTransport.parse(TcpTransport.java:536) ~[elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.transport.TcpTransport.addressesFromString(TcpTransport.java:489) ~[elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.transport.TransportService.addressesFromString(TransportService.java:744) ~[elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.discovery.SeedHostsResolver.lambda$resolveHostsLists$0(SeedHostsResolver.java:143) ~[elasticsearch-7.1.1.jar:7.1.1]
at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:681) ~[elasticsearch-7.1.1.jar:7.1.1]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at java.lang.Thread.run(Thread.java:835) [?:?]
[2019-08-07T22:31:16,846][WARN ][o.e.d.SeedHostsResolver ] [illumni8] failed to resolve host [host3]
java.net.UnknownHostException: host3: Temporary failure in name resolution
at java.net.Inet4AddressImpl.lookupAllHostAddr(Native Method) ~[?:?]
at java.net.InetAddress$PlatformNameService.lookupAllHostAddr(InetAddress.java:929) ~[?:?]
at java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1515) ~[?:?]
at java.net.InetAddress$NameServiceAddresses.get(InetAddress.java:848) ~[?:?]
at java.net.InetAddress.getAllByName0(InetAddress.java:1505) ~[?:?]
at java.net.InetAddress.getAllByName(InetAddress.java:1364) ~[?:?]
at java.net.InetAddress.getAllByName(InetAddress.java:1298) ~[?:?]
at org.elasticsearch.transport.TcpTransport.parse(TcpTransport.java:536) ~........................

Bernt_Rostad · August 8, 2019, 5:31am

I'm using 6.8 myself so there could be some differences between your case and my security setup. But I noticed the /root directory in your xpack.security configurations which immediately set off alarm bells in my mind. And the following error you report seems to confirm my worries:

This error tells us that Elasticsearch is running with a user that don't have privileges to access the keystore, which I guess is currently owned by the root user.

In general, Elasticsearch should not be installed with or run as root user, both for safety reasons and because if Elasticsearch is later started with a non-root user it will fail to read and update the root owned files. It will therefor fail to start.

In my elasticsearch.yml file I use relative paths for the xpack.security configuration because I create them inside the installation so that I know the directories will have the same owner as the rest of the installation. And the same user I start Elasticsearch with. My configuration looks like this on all my nodes:

xpack.security.transport.ssl.keystore.path: certs/${node.name}.p12
xpack.security.transport.ssl.truststore.path: certs/${node.name}.p12

The certs/ directory is located inside the config/ directory of the Elasticsearch installation. The ${node.name}.p12 expands to the filename with the certificate for the current node (e.g. node2.p12).

Each node in my cluster has its own, unique certificate in its "node".p12 file, signed with the same cluster CA (you can either use an external CA authority or create your own - see Generating Node Certificates) so that all the nodes in the cluster can communicate securely with each other over SSL.

asad_ali · August 8, 2019, 5:54am

Point well-noted,I moved this to new thread as this was getting too long and noisy with log data.

I had also tested with cert/filename.key and cert/filename.crt but results are same but error here are very different now

system · September 5, 2019, 5:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.