Ssl internode with elk cluster

I have a big problem with connecting readonlyrest to the elasticsearch cluster.
At the moment I have a 4 node cluster and I would like to connect one additional node as readonlyrest.
I have tls enabled in my cluster (xpack.security.transport.ssl.enabled) and when I try to connect an additional readonlyrest node to it I always get the error:

[2021-07-07T14:27:52,254][WARN ][o.e.t.TcpTransport       ] [elk5-ror] exception caught on transport layer [Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:51460, remoteAddress=null}], closing connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

I generate the certificate as p12 from my main node:
bin / elasticsearch-certutil cert --ca elastic-stack-ca.p12
and then keytool imports it:
keytool -importkeystore -deststorepass pass -destkeypass pass -destkeystore shield.jks -srckeystore elk-ror.p12 -srcstoretype PKCS12 -srcalias instance
On ror node of course i have disable xpack and enable transport.type: ror_ssl_internode. My readonlyrest.yml:

 readonlyrest:
     ssl_internode:
       keystore_file: "shield.jks"
       keystore_pass: pass
       key_pass: pass
     access_control_rules:
     - name: "Require HTTP Basic Auth"
       type: allow
       auth_key: elastic:pass

But unfortunately it doesn’t work. Is there any procedure how to add new ror node to exist cluster?

How do you configure this certificate in the existing working node?

It is rather a standard configuration:

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: none
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

I also tried the configuration with

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: none
xpack.security.transport.ssl.key: /etc/elasticsearch/config/certs/elk1.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/config/certs/elk1.crt
xpack.security.transport.ssl.certificate_authorities: [ “/etc/elasticsearch/config/certs/ca.crt” ]

But in each case there was the same error => Received fatal alert: bad_certificate, on ror node.

Hi @mix091 yesterday we added your request for support to our internal task management system.
Because I’d like to bump up priority to this task, I would need to know if you are an active ReadonlyREST PRO/Enterprise user already, or are you evaluating to adopt one of these solutions.