ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration is not configured with a keystore

[alexi190]

Docker Compose version v2.35.1

i simply run

docker compose up setup

then

docker compose up -d

then

docker exec -it docker-elk-elasticsearch-1 /bin/bash

i try to create enrollment-token with or without url

but i get

elasticsearch@96af59c4b2b0:~$ bin/elasticsearch-create-enrollment-token -s node --url "https://elasticsearch:9200"
Unable to create enrollment token for scope [node]

ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration is not configured with a keystore, with exit code 73

How can setup this please help

[antoineco]

Does it work if you use the http scheme instead of https in the URL? If not, you might want to consider switching to the tls branch of docker-elk.

[alexi190]

I tried both http and also tried tls branch but i am getting almost same result:

i just added xpack.security.enrollment.enabled: true in elasticsearch.yml

same for bin/elasticsearch-create-enrollment-token -s node

elasticsearch@169dcd8f4267:~$ bin/elasticsearch-create-enrollment-token -s node --url "https://172.19.0.2:9200"
15:31:48.376 [main] WARN  org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [172.19.0.2]; the server provided a certificate with subject name [CN=elasticsearch], fingerprint [bb91c88c0b168b26e4ea706439453caf9cc0749f], no keyUsage and no extendedKeyUsage; the certificate is valid between [2025-06-02T15:26:38Z] and [2028-06-01T15:26:38Z] (current time is [2025-06-02T15:31:48.373762074Z], certificate dates are valid); the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate has subject alternative names [DNS:elasticsearch,IP:127.0.0.1,IP:0:0:0:0:0:0:0:1,DNS:localhost]; the certificate is issued by [CN=Elastic Certificate Tool Autogenerated CA]; the certificate is signed by (subject [CN=Elastic Certificate Tool Autogenerated CA] fingerprint [533a72d199d3a3317706b46e8fc3054fb9340fe2] {trusted issuer}) which is self-issued; the [CN=Elastic Certificate Tool Autogenerated CA] certificate is trusted in this ssl context ([xpack.security.http.ssl (with trust configuration: PEM-trust{/usr/share/elasticsearch/config/ca.crt})])
java.security.cert.CertificateException: No subject alternative names matching IP address 172.19.0.2 found
	at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:160) ~[?:?]
	at sun.security.util.HostnameChecker.match(HostnameChecker.java:101) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:466) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:432) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[?:?]
	at org.elasticsearch.common.ssl.DiagnosticTrustManager.checkServerTrusted(DiagnosticTrustManager.java:81) ~[?:?]
	at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1310) ~[?:?]
	at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1203) ~[?:?]
	at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1146) ~[?:?]
	at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]
	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]
	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447) ~[?:?]
	at sun.security.ssl.TransportContext.dispatch(TransportContext.java:199) ~[?:?]
	at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) ~[?:?]
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:482) ~[?:?]
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187) ~[?:?]
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:141) ~[?:?]
	at org.elasticsearch.xpack.core.common.socket.SocketAccess.lambda$doPrivileged$0(SocketAccess.java:42) ~[?:?]
	at java.security.AccessController.doPrivileged(AccessController.java:251) ~[?:?]
	at org.elasticsearch.xpack.core.common.socket.SocketAccess.doPrivileged(SocketAccess.java:41) ~[?:?]
	at org.elasticsearch.xpack.core.security.CommandLineHttpClient.execute(CommandLineHttpClient.java:178) ~[?:?]
	at org.elasticsearch.xpack.core.security.CommandLineHttpClient.execute(CommandLineHttpClient.java:112) ~[?:?]
	at org.elasticsearch.xpack.security.tool.BaseRunAsSuperuserCommand.checkClusterHealthWithRetries(BaseRunAsSuperuserCommand.java:214) ~[?:?]
	at org.elasticsearch.xpack.security.tool.BaseRunAsSuperuserCommand.execute(BaseRunAsSuperuserCommand.java:127) ~[?:?]
	at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:55) ~[elasticsearch-8.18.2.jar:8.18.2]
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:101) ~[elasticsearch-cli-8.18.2.jar:8.18.2]
	at org.elasticsearch.cli.Command.main(Command.java:54) ~[elasticsearch-cli-8.18.2.jar:8.18.2]
	at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:65) ~[cli-launcher-8.18.2.jar:8.18.2]

ERROR: Failed to determine the health of the cluster., with exit code 69

elasticsearch@169dcd8f4267:~$ bin/elasticsearch-create-enrollment-token -s node --url "https://localhost:9200"
Unable to create enrollment token for scope [node]


ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration is not configured with a keystore, with exit code 73

elasticsearch@169dcd8f4267:~$ bin/elasticsearch-create-enrollment-token -s node --url "http://localhost:9200"

ERROR: Failed to determine the health of the cluster., with exit code 69

[alexi190]

also when i goto kibana and eneter user name and password

this api says

http://192.168.1.10:5601/internal/security/user_profile?dataPath=avatar,userSettings

statusCode 401

so it stays at login screen only

however on kibana logs i see

[2025-06-02T15:43:54.095+00:00][INFO ][plugins.security.authentication] Performing login attempt with "basic" provider.

[2025-06-02T15:43:54.527+00:00][INFO ][plugins.security.authentication] Login attempt with "basic" provider succeeded (requires redirect: true).

strange behavior

[antoineco]

Investigation

I tried this myself and can reproduce the behaviour, but could not determine that it is an issue with docker-elk. The documentation for this tool at https://www.elastic.co/docs/reference/elasticsearch/command-line-tools/create-enrollment-token states:

elasticsearch-create-enrollment-token can only be used with Elasticsearch clusters that have been auto-configured for security.

After looking for more information about this "auto-configured" security, I stumbled upon https://www.elastic.co/docs/deploy-manage/security/self-auto-setup, which describes a few cases where security is considered to be manually configured:

Existing settings detected

The following settings are incompatible with security auto configuration. If any of these settings exist, the node startup process skips configuring security automatically and the node starts normally.

• node.roles is set to a value where the node can’t be elected as master, or if the node can’t hold data
• xpack.security.autoconfiguration.enabled is set to false
• xpack.security.enabled has a value set
• Any of the xpack.security.transport.ssl.* or xpack.security.http.ssl.* settings have a value set in the elasticsearch.yml configuration file or in the elasticsearch.keystore
• Any of the discovery.type, discovery.seed_hosts, or cluster.initial_master_nodes discovery and cluster formation settings have a value set

As a matter of fact, docker-elk does have xpack.security.enabled set:

https://github.com/deviantony/docker-elk/blob/ac4a01fe60341089a474561ac587d1975ed6ba4b/elasticsearch/config/elasticsearch.yml#L9

Removing/commenting that line should work, but in practice it causes the auto-configuration mechanism to try moving docker-elk's configuration file, which doesn't work because it is mounted.

Alternative

In order to use enrollment tokens, it might be preferable to follow the steps at https://www.elastic.co/docs/deploy-manage/deploy/self-managed/install-elasticsearch-docker-basic.

Starting an Elasticsearch container without any custom settings causes it to eventually print an enrollment token:

docker run \
  --rm \
  --net docker-elk_elk \
  -it \
  -m 1GB \
  docker-elk-elasticsearch

Something similar might be achieved with Compose, but it possibly requires several manual steps which are out of the intended scope of docker-elk.

[alexi190]

Hi, thanks for the investigation. I created the cluster by generating a CA for the new node and restarting the existing nodes. This worked fine, and the existing nodes were able to discover the newly added node. The only downside is the need to restart. I also tried using without custom settings and was able to add new nodes with an enrollment token. My main reason for using the enrollment token was to add nodes without requiring a restart.