Unable to create an enrollment token

Elastic Stack Elasticsearch
1

Hi,
i try to add a node at at new formed 8.6 cluster. As the first step i configured the ca, certificates and modified the elasticsearch.yml Cluster started -> fine

The error is also described in:

This statement doesnt help:
ikakavasIoannis KakavasElastic Team Member

Feb 2022

Hi there,

The enrolment process is designed to work only with the auto-configured TLS setup that one gets with Elasticsearch 8.0.
...

My Config:

#----------------------- BEGIN SECURITY AUTO CONFIGURATION -----------------------
#
# The following settings, TLS certificates, and keys have been automatically
# generated to configure Elasticsearch security features on 02-03-2023 12:17:50
#
# --------------------------------------------------------------------------------

discovery.seed_hosts: [slvtmgrels99, slvtmgrels98, slvtmgrels97]

  #xpack.security.enrollment.enabled: true

# Enable security features
xpack.security.enabled: true

xpack.security.enrollment.enabled: true

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: /etc/elasticsearch/certificate/slvtmgrels99.p12
    ## keystore or key/certificate
    #key: /etc/elasticsearch/certificate/slvtmgrels99.key
    #certificate: /etc/elasticsearch/certificate/slvtmgrels99.crt
  certificate_authorities: /etc/elasticsearch/certificate/elk_t99-ca.crt

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: /etc/elasticsearch/certificate/slvtmgrels99.p12
    #  truststore or cert_auth ... not both
    #  truststore.path: /etc/elasticsearch/certificate/slvtmgrels99.p12
  certificate_authorities: /etc/elasticsearch/certificate/elk_t99-ca.crt

# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
cluster.initial_master_nodes: ["slvtmgrels99"]

# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0

# Allow other nodes to join the cluster from anywhere
# Connections are encrypted and mutually authenticated
transport.host: 0.0.0.0

#----------------------- END SECURITY AUTO CONFIGURATION -------------------------

My Error message:

slvtmgrels99:/etc/elasticsearch/certificate # /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node
Unable to create enrollment token for scope [node]

ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration Keystore doesn't contain any PrivateKey entries where the associated certificate is a CA certificate

Any suggestions?
Sry for my bad layout!

regards
harry

2

This is a known issue. Please see Import CA Cert as PrivateKeyEntry to HTTP Keystore - Solve Unable to create enrollment token Error - #2 by Yang_Wang

3

Works, thx a lot.

regards
harry

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.