Using TLS with PFX from third party in 7.11

I am having issues getting TLS working on my two-node cluster. I know two-node is not best practice or supported in Elastic or any other clustering technology, but this is just test environment that I will add more nodes to once I am done.

I had this cluster working fine until I attempted to enable TLS. The first problem is I am not getting any log files in /var/log/elasticsearch/* other than the gc.log files. My cluster log files do not exist (Ubuntu).

I've set the following parameters:

  • discovery.seed_hosts
  • cluster.initial_master_nodes (set this to node 1 on both servers)
  • node.master: true [this is on the master but is on the other one]

This was all working till I tried:

I set the store password for the SSL:
bin/elasticsearch-keystore add
bin/elasticsearch-keystore add
bin/elasticsearch-keystore add

I set it this way on both servers using the same PFX file since this was a SAN I generated with our Windows CA that contains all the alternate names (including Kibana but I am leaving Kibana discussion out for now).

I can access the primary node using HTTPS and it shows yellow with 1 node

I can access the secondary node using HTTPS and it shows:

When I attempt to access port 9300 (which I understand is the node communication port) I get an error about not providing a valid client certificate. Chrome displays: "ERR_BAD_SSL_CLIENT_AUTH_CERT"

If I changed "" to false then they join up and are fine. Also if I disable verification but leave transport.ssl.eanbled to true then it works. So something is failing in the verification process but what?

Since it is not generating any log files, I'm not really sure where to go next.

Thank you!

Please don't post images of text (config, logs, etc) as they are hard to read, may not display correctly for everyone, and are not searchable.

You need to sort this out. You cannot effectively support a cluster that has no logs.
Does you elasticsearch.yml have an explicit setting forpath.logs ?

A "pfx" generated by a third party is unlikely to work as a truststore. You will need to extract the CA from the pfx using openssl or keytool into a PEM file and then configure certificate_authorities instead.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.