Upgrade Elasticsearch 8.2 to 8.x leads to ssl problems

Elastic Stack Elasticsearch
1

Hi everyone,

I tried to upgrade two different clusters containing 3 or 5 nodes. Both are running elasticsearch 8.2.0 and I tried upgrading to different versions 8.11.4, 8.5.3 and 8.4.3. But all attempts failed with the same result.

After upgrading the first node, ssl handshake between node and cluster fails. This is from the node's log:

[2024-01-24T14:39:58,753][WARN ][o.e.t.TcpTransport       ] [elastic-server-tst2] exception caught on transport layer [Netty4TcpChannel{localAddress=/x.y.z.155:54904, remoteAddress=elastic-server-tst1.my.domain/x.y.z.154:9300, profile=default}], closing connection 
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Hostname or IP address is undefined.

This if from the log of one of the cluster's nodes:

[2024-01-24T14:48:48,817][WARN ][o.e.t.TcpTransport       ] [elastic-server-tst1] exception caught on transport layer [Netty4TcpChannel{localAddress=/x.y.z.154:9300, remoteAddress=/x.y.z.155:52112, profile=default}], closing connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

I had to change fqdns and ips.

OS is Ubuntu 20.04 and we use Readonlyrest-plugin.

Can someone explain to me, what is going on? Prior updates including the major-update 7.17.3 -> 8.2.0 worked out-of-the-box.

/etc/elasticsearch/elasicsearch.yml:

action:
  destructive_requires_name: true
cluster:
  initial_master_nodes:
  - elastic-server-tst1.my.domain
  - elastic-server-tst2.my.domain
  - elastic-server-tst3.my.domain
  name: my-tst-cluster
discovery:
  seed_hosts:
  - elastic-server-tst1.my.domain
  - elastic-server-tst2.my.domain
  - elastic-server-tst3.my.domain
http:
  compression: true
  cors:
    allow-credentials: true
    allow-origin: "/.*/"
    enabled: true
  type: ssl_netty4
network:
  host: x.y.z.155
node:
  attr:
    dc: virtuell
path:
  repo:
  - "/path1"
  - "/path2"
  - "/path3"
path.data: "/elastic/elasticsearch-data"
path.logs: "/var/log/elasticsearch"
transport:
  type: ror_ssl_internode
xpack:
  security:
    enabled: false
    http:
      ssl:
        enabled: false
    transport:
      ssl:
        enabled: false
2

You are using a third-party plugin that takes care of the SSL communication between your nodes, you need to contact the developers of this plugin to understand what may happen as this plugin is not supported here.

1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.