Unable to setup SSL/TLS for cross cluster search or 9300 port

Following is my elasticsearch main instance(172.x.x.2) config:

search:
  remote:
    cluster_1:
      seeds: 172.x.x.1:9300
xpack.ssl.keystore.path: certs/ELK1.p12
xpack.ssl.truststore.path: certs/ELK1.p12
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate

Following is my elasticsearch seed(172.x.x.1) instance config:

xpack.security.enabled: true
xpack.ssl.keystore.path: certs/ELK2.p12
xpack.ssl.truststore.path: certs/ELK2.p12
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate

I am getting errors in 172.x.x.2 server, like:

[WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [es-node-1] caught exception while handling client http traffic, closing connection [id: 0x94ca01fd, L:0.0.0.0/0.0.0.0:9200 ! R:/172.x.x.1:60944]

I am completely clueless here because, when i have enabled SSL/TLS for both, why i am getting HTTP traffic. It should be HTTPS. 9200 SSL/TLS works as my kibana is able to talk with elasticsearch. Is it something to do with 9300 not configured to handle SSL/TLS?

If i do the following:

openssl s_client -connect 172.x.x.1:9200
openssl s_client -connect 172.x.x.1:9300

...i get errors in 9300 port. Like:

140186801710992:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:s3_pkt.c:1493:SSL alert number 42
140186801710992:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

...and for 9300 it shows acceptable client certificates but not for 9200. Like:

Acceptable client certificate CA names
/CN=ELK2
/CN=Elastic Certificate Tool Autogenerated CA
Client Certificate Types: RSA sign, DSA sign, ECDSA sign

Please point me to any documentation on how to enable SSL/TLS for 9300 port or to a workaround for the above.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.