Home / server / Questions / 1160878
Accepted
ericx
Asked: 2024-06-13 02:37:30 +0800 CST

"SSL routines::wrong version number" after elasticsearch upgrade

  • 772

This is a pretty new ELK installation. I originally installed v7.x because I mistakenly thought it was required; but then upgraded in place by editing the source URL for the Elastic PPA. The upgrade using apt was without error.

I had to adjust some settings in the elasticsearch.yml file (swap out 'http' for 'transport'):

ELK 7:

xpack.security.http.ssl.enabled: 'true'
xpack.security.http.ssl.verification_mode: 'none'
xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt
xpack.security.http.ssl.key: /etc/elasticsearch/certs/netflow/netflow.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/netflow/netflow.crt

ELK 8:

xpack.security.transport.ssl.enabled: 'true'
xpack.security.transport.ssl.verification_mode: 'none'
xpack.security.transport.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/netflow/netflow.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/netflow/netflow.crt

Under ELK 7. This worked gracefully. Under ELK 8. It now produces an error from the OpenSSL library linked into curl:

# curl -v --cacert /etc/elasticsearch/certs/ca/ca.crt -u elastic:PASSWORD https://127.0.0.1:9200
*   Trying 127.0.0.1:9200...
* Connected to 127.0.0.1 (127.0.0.1) port 9200 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/elasticsearch/certs/ca/ca.crt
*  CApath: /etc/ssl/certs
* OpenSSL/3.0.13: error:0A00010B:SSL routines::wrong version number
* Closing connection 0
curl: (35) OpenSSL/3.0.13: error:0A00010B:SSL routines::wrong version number
[Exit 35 ]

First question I have to ask is what does the error actually mean? Wrong version of what? (my best guess was SSL version)

I tried adding --ssl2, --ssl3, --tls-max 1.0, --tls-max 1.1, --tls-max 1.2, and --tls-max 1.3; but it made no difference.

ssl

1 Answers

  1. Best Answer

    So Steffen is correct. There was no SSL at all. After upgrading from 7.x to 8.x, elasticsearch failed to start and I found the following error message in the log:

    bootstrap check failure [1] of [1]: Transport SSL must be enabled if security is enabled. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]; for more information see [https://www.elastic.co/guide/en/elasticsearch/reference/8.14/bootstrap-checks-xpack.html#bootstrap-checks-tls]

    When you follow the links (there is a second link to chase: Set up basic security for the Elastic Stack), you find instructions to use 'transport` instead of 'http' in the config (as I did above). Not sure what that actually does, but it disables SSL on the default port 9200 connection to Elasticsearch.

    The correct solution for me in response to the error "Transport SSL must be enabled" was to restore the "http" instead of "transport" and add the line:

    discovery.type: 'single-node'
    • 0