Support is definitely the best option here, but in order to make as much information available online here's a few pointers:
-
Generally I would recommend running setup-passwords before configuring TLS. You don't have to do that, but when you're starting out for the very first time, I think that the most straight forward path is the order below. It does require starting and stopping you node(s) multiple times, and changing configuration as you go, so it's not suitable for every environment (which is why it's not the instructions in the docs) but if you want a path where you do 1 step, verify it worked, and then do the next step, this is the way to go:
- Install a single ES node.
- Install X-Pack on that node.
- Run setup-passwords on that node.
- Add additional nodes (ES + X-Pack).
- Enable TLS for node transport.
- Enable TLS for HTTP.
-
We have a trouble shooting guide for setup-passwords. It needs a little bit more curating, but it does describe your most recent issue: https://www.elastic.co/guide/en/x-pack/current/trb-security-setup.html
-
The challenge with setup-passwords is that it acts as a client of the ES HTTP API, but Elasticsearch is not normally a consumer of its own API. So you can have a perfectly configured ES cluster, but it doesn't know how to talk to itself (because it normally doesn't need to). That usually becomes a problem when SSL/TLS is involved because the steps you need to do to make Elasticsearch work as an HTTP server with TLS are not the same as what you need to make a client talk to Elasticsearch over HTTPS.
-
In this case, I think you just want to add the following to the
elasticsearch.ymlfor each node.xpack.security.http.ssl.certificate_authorities: certs\ca.crt