Upgrade Elasticsearch 8.2 to 8.x leads to ssl problems

Ljapunov · January 24, 2024, 2:33pm

Hi everyone,

I tried to upgrade two different clusters containing 3 or 5 nodes. Both are running elasticsearch 8.2.0 and I tried upgrading to different versions 8.11.4, 8.5.3 and 8.4.3. But all attempts failed with the same result.

After upgrading the first node, ssl handshake between node and cluster fails. This is from the node's log:

[2024-01-24T14:39:58,753][WARN ][o.e.t.TcpTransport       ] [elastic-server-tst2] exception caught on transport layer [Netty4TcpChannel{localAddress=/x.y.z.155:54904, remoteAddress=elastic-server-tst1.my.domain/x.y.z.154:9300, profile=default}], closing connection 
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Hostname or IP address is undefined.

This if from the log of one of the cluster's nodes:

[2024-01-24T14:48:48,817][WARN ][o.e.t.TcpTransport       ] [elastic-server-tst1] exception caught on transport layer [Netty4TcpChannel{localAddress=/x.y.z.154:9300, remoteAddress=/x.y.z.155:52112, profile=default}], closing connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

I had to change fqdns and ips.

OS is Ubuntu 20.04 and we use Readonlyrest-plugin.

Can someone explain to me, what is going on? Prior updates including the major-update 7.17.3 -> 8.2.0 worked out-of-the-box.

/etc/elasticsearch/elasicsearch.yml:

action:
  destructive_requires_name: true
cluster:
  initial_master_nodes:
  - elastic-server-tst1.my.domain
  - elastic-server-tst2.my.domain
  - elastic-server-tst3.my.domain
  name: my-tst-cluster
discovery:
  seed_hosts:
  - elastic-server-tst1.my.domain
  - elastic-server-tst2.my.domain
  - elastic-server-tst3.my.domain
http:
  compression: true
  cors:
    allow-credentials: true
    allow-origin: "/.*/"
    enabled: true
  type: ssl_netty4
network:
  host: x.y.z.155
node:
  attr:
    dc: virtuell
path:
  repo:
  - "/path1"
  - "/path2"
  - "/path3"
path.data: "/elastic/elasticsearch-data"
path.logs: "/var/log/elasticsearch"
transport:
  type: ror_ssl_internode
xpack:
  security:
    enabled: false
    http:
      ssl:
        enabled: false
    transport:
      ssl:
        enabled: false

leandrojmp · January 24, 2024, 3:14pm

You are using a third-party plugin that takes care of the SSL communication between your nodes, you need to contact the developers of this plugin to understand what may happen as this plugin is not supported here.

system · February 21, 2024, 3:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SSL Handshake error while adding node to elasticsearch Elasticsearch	1	394	August 6, 2021
SSL errors remaining after upgrade to 7.5.0 Elasticsearch elastic-stack-security	2	5603	January 17, 2020
Elasticsearch 6.8 security update error while configuring it Elasticsearch elastic-stack-security	12	4068	July 9, 2019
Client SSL Handshake Issues Elasticsearch	7	9084	February 13, 2018
Remote Client not able to connect to Elasticsearch Cluster via SSL in place Elasticsearch elastic-stack-security	7	1506	June 10, 2021

Upgrade Elasticsearch 8.2 to 8.x leads to ssl problems

Related Topics