When I use elasticsearch-create-enrollment-token -s node, to generate the token for enrol a new elastic node, I have the following error message:
Unable to create enrollment token for scope [node]
ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration Keystore doesn't contain any PrivateKey entries where the associated certificate is a CA certificate, with exit code 73
I see that there is this topic with the same issue:
Anyway I use custom certificate, generated with my own CA for both transport and http layer.
I don't want to import the CA key in the elasticsearch trustore and I think is not a safe choice.
Since you are using your own certificates and manually configured the initial node you should not (can not) use the enrollment token method. That should only be used when you use the auto security method.
You need to Manually configure the node to join the cluster.
Hi @stephenb , thanks for your answer.
I can't find any documentation about manual configuration of additional node, do you can point me to some official documentation?
I don't think it exists, at least I could not find anything about it.
But the process is simple.
Basically you just need to generate the certificate for the new node and then change the relevant configurations in elasticsearch.yml , which are the xpack.security.* settings to point to the certificate.
The cluster.name needs to be the same and the setting discovery.seed_hosts needs to point to the current master eligible nodes.
If you share the elasticsearc.yml that you are using on the other nodes it would be easier to show what needs to be changed.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.