[x-pack] enabled: Unable to communicate to Elasticsearch using only cacert from client machines

As I said above, you need a different pair for the server and a different for the client. You can't use one key/certificate for both sides.

xpack.security.http.ssl.key
xpack.security.http.ssl.certificate

is one thing.

The ones you will use with --key and --certificate is another thing.