Hi,
i try to add a node at at new formed 8.6 cluster. As the first step i configured the ca, certificates and modified the elasticsearch.yml Cluster started -> fine
The error is also described in:
This statement doesnt help:
ikakavasIoannis KakavasElastic Team Member
Hi there,
The enrolment process is designed to work only with the auto-configured TLS setup that one gets with Elasticsearch 8.0.
...
My Config:
#----------------------- BEGIN SECURITY AUTO CONFIGURATION -----------------------
#
# The following settings, TLS certificates, and keys have been automatically
# generated to configure Elasticsearch security features on 02-03-2023 12:17:50
#
# --------------------------------------------------------------------------------
discovery.seed_hosts: [slvtmgrels99, slvtmgrels98, slvtmgrels97]
#xpack.security.enrollment.enabled: true
# Enable security features
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
enabled: true
verification_mode: certificate
keystore.path: /etc/elasticsearch/certificate/slvtmgrels99.p12
## keystore or key/certificate
#key: /etc/elasticsearch/certificate/slvtmgrels99.key
#certificate: /etc/elasticsearch/certificate/slvtmgrels99.crt
certificate_authorities: /etc/elasticsearch/certificate/elk_t99-ca.crt
# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: /etc/elasticsearch/certificate/slvtmgrels99.p12
# truststore or cert_auth ... not both
# truststore.path: /etc/elasticsearch/certificate/slvtmgrels99.p12
certificate_authorities: /etc/elasticsearch/certificate/elk_t99-ca.crt
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
cluster.initial_master_nodes: ["slvtmgrels99"]
# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0
# Allow other nodes to join the cluster from anywhere
# Connections are encrypted and mutually authenticated
transport.host: 0.0.0.0
#----------------------- END SECURITY AUTO CONFIGURATION -------------------------
My Error message:
slvtmgrels99:/etc/elasticsearch/certificate # /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node
Unable to create enrollment token for scope [node]
ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration Keystore doesn't contain any PrivateKey entries where the associated certificate is a CA certificate
Any suggestions?
Sry for my bad layout!
regards
harry