I am having issues getting TLS working on my two-node cluster. I know two-node is not best practice or supported in Elastic or any other clustering technology, but this is just test environment that I will add more nodes to once I am done.
I had this cluster working fine until I attempted to enable TLS. The first problem is I am not getting any log files in /var/log/elasticsearch/* other than the gc.log files. My cluster log files do not exist (Ubuntu).
I've set the following parameters:
- cluster.name
- node.name
- network.host
- discovery.seed_hosts
- cluster.initial_master_nodes (set this to node 1 on both servers)
- node.master: true [this is on the master but node.data is on the other one]
This was all working till I tried:
I set the store password for the SSL:
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
I set it this way on both servers using the same PFX file since this was a SAN I generated with our Windows CA that contains all the alternate names (including Kibana but I am leaving Kibana discussion out for now).
I can access the primary node using HTTPS and it shows yellow with 1 node
https://10.10.14.254:9200/_cluster/health?pretty
I can access the secondary node using HTTPS and it shows:
master_not_discovered_exception
When I attempt to access port 9300 (which I understand is the node communication port) I get an error about not providing a valid client certificate. Chrome displays: "ERR_BAD_SSL_CLIENT_AUTH_CERT"
If I changed "xpack.security.transport.ssl.enabled" to false then they join up and are fine. Also if I disable verification but leave transport.ssl.eanbled to true then it works. So something is failing in the verification process but what?
Since it is not generating any log files, I'm not really sure where to go next.
Thank you!