SSL inter-node interoperability between ROR node and existing cluster

I have a big problem with connecting readonlyrest to the elasticsearch cluster.
At the moment I have a 4 node cluster and I would like to connect one additional node as readonlyrest.
I have tls enabled in my cluster ( and when I try to connect an additional readonlyrest node to it I always get the error:

[2021-07-07T14:27:52,254][WARN ][o.e.t.TcpTransport       ] [elk5-ror] exception caught on transport layer [Netty4TcpChannel{localAddress=, remoteAddress=null}], closing connection
io.netty.handler.codec.DecoderException: Received fatal alert: bad_certificate

I generate the certificate as p12 from my main node:
bin / elasticsearch-certutil cert --ca elastic-stack-ca.p12
and then keytool imports it:
keytool -importkeystore -deststorepass pass -destkeypass pass -destkeystore shield.jks -srckeystore elk-ror.p12 -srcstoretype PKCS12 -srcalias instance
On ror node of course i have disable xpack and enable transport.type: ror_ssl_internode. My readonlyrest.yml:

       keystore_file: "shield.jks"
       keystore_pass: pass
       key_pass: pass
     - name: "Require HTTP Basic Auth"
       type: allow
       auth_key: elastic:pass

But unfortunately it doesn’t work. Is there any procedure how to add new ror node to exist cluster?

How do you configure this certificate in the existing working node?

It is rather a standard configuration: true none certs/elastic-certificates.p12 certs/elastic-certificates.p12

I also tried the configuration with true none /etc/elasticsearch/config/certs/elk1.key /etc/elasticsearch/config/certs/elk1.crt [ “/etc/elasticsearch/config/certs/ca.crt” ]

But in each case there was the same error => Received fatal alert: bad_certificate, on ror node.

Hi @mix091 yesterday we added your request for support to our internal task management system.
Because I’d like to bump up priority to this task, I would need to know if you are an active ReadonlyREST PRO/Enterprise user already, or are you evaluating to adopt one of these solutions.

We have just added internode SSL compatibility between ROR nodes and XPack nodes. If you want to test it, please give me a hint about the ES version you use - I’ll send you a pre-build.

The feature will be available starting from ROR 1.36.0.

1 Like