Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration is not configured with a keystore

Ekta · January 7, 2024, 9:54am

Hi Team,

I am upgrading elasticsearch from 7.17.0 to 8.11 on ubuntu 22.04

I have completed elasticsearch installation and x-pack while I am creating token for cluster it is showing below error

Error: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration is not configured with a keystore

below is my config file:

# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: my-application
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: node1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
node.roles: ["master","data"]
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /data/elasticsearch
#
# Path to log files:
#
path.logs: /var/log/elasticsearch
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
network.host: xx.xx.xx.xx
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
#http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
discovery.seed_hosts: ["node1"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
#cluster.initial_master_nodes: ["node-1", "node-2"]
cluster.initial_master_nodes: ["node1"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Allow wildcard deletion of indices:
#
#action.destructive_requires_name: false
indices.query.bool.max_clause_count: 50100
indices.fielddata.cache.size: 40%
action.destructive_requires_name: true
indices.breaker.fielddata.limit: 60%
##action.auto_create_index: false
http.max_content_length: 900mb
indices.recovery.max_bytes_per_sec: 100mb
#
#xpack.security.enabled: false
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: none
xpack.security.transport.ssl.key: /etc/elasticsearch/cert/esdemo.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/cert/esdemo.crt
xpack.security.transport.ssl.supported_protocols: TLSv1.2
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: none
xpack.security.http.ssl.key: /etc/elasticsearch/cert/esdemo.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/cert/esdemo.crt
xpack.security.http.ssl.supported_protocols: TLSv1.2

~

stephenb · January 7, 2024, 2:41pm

Hi @Ekta

Since you are doing manual configuration / upgrade do not use the enrollment token method to add new nodes.... It is not supported.

See here

elasticsearch-create-enrollment-token can only be used with Elasticsearch clusters that have been auto-configured for security.

If this was already previously a cluster which it looks like it was, then you don't need the enrollment at all and the cluster should form as it did before.

Also, if it is already bootstrapped and formed a cluster you should take out the cluster.initial_master_nodes setting.

system · February 4, 2024, 2:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.