Closed brsolomon-deloitte closed 2 years ago
Regenerated the ca and cert with a password for each, added es_ssl_keystore_password
and es_ssl_truststore_password
to es-vars.yaml - same failure.
It looks like you are passing the --multiple
flag to elasticsearch-certutil, which outputs a zip archive of all the requested certs.
https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html#certutil-cert
If you specify the --keep-ca-key, --multiple or --in parameters, the command produces a zip file containing the generated certificates and keys.
I think you just need to extract the archive and move the contents to the expected locations to remediate this issue.
@bndabbs thanks for responding, I confirmed this is the case. The resulting my-keystore.p12
is a ZIP archive of individual p12s that, when unzip
'd, produces es-{1..3}/*.p12
for each node.
I'll be re-deploying a new cluster today pointing to the correct keystore for each node, and will close this issue if that resolves the exception.
Confirmed this was the case. By passing an individual es_ssl_keystore
to each host block the cluster now comes up green and is accessible via https (with a --cacert
needed).
java -version
): 11.0.11uname -a
if on a Unix-like system): Ubuntu Focal 20.04 Server x86_64Description of the problem including expected versus actual behaviour:
The
elasticsearch
role fails when pointed toes_ssl_keystore
/es_ssl_truststore
using CA and Cert created withbin/elasticsearch-certutil
.The role bombs out with
Playbook:
Install Ansible for ubuntu user on control node:
Download elasticsearch binaries on control node so that we can run
bin/elasticsearch-certutil
:Create variables file:
Create playbook for master node:
Run:
Provide logs from Ansible:
Tail of
/var/tmp/ansible.log
:ES Logs if relevant:
Tail of /var/log/elasticsearch/test-cluster.log:
Output of
systemctl status elasticsearch
on the managed node: