**I went ahead and used the generated certificates in place of my own, but I ended up with the same error. So at least we know the certificates themselves are not the problem. Probably some config problem? **
···
======================================
logger.com.floragunn.searchguard.ssl: DEBUG
searchguard.ssl.http.clientauth_mode: REQUIRE
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: stores/serverKeyStore.jks
searchguard.ssl.transport.truststore_filepath: stores/serverTrustStore.jks
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: stores/serverKeyStore.jks
searchguard.ssl.http.truststore_filepath: stores/serverTrustStore.jks
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.keystore_password: kpwd
searchguard.ssl.transport.truststore_password: tpwd
searchguard.ssl.http.keystore_password: kpwd
searchguard.ssl.http.truststore_password: tpwd
searchguard.ssl.transport.keystore_alias: cn=hostname.domain
searchguard.ssl.transport.truststore_alias: root-ca-chain
searchguard.ssl.http.keystore_alias: cn=hostname.domain
searchguard.ssl.http.truststore_alias: root-ca-chain
searchguard.ssl.transport.enabled_protocols:
searchguard.ssl.http.enabled_protocols:
==============================================
[2017-07-12T15:32:22,922][INFO ][o.e.n.Node ] [master_hostname.domain] initializing …
[2017-07-12T15:32:23,437][INFO ][o.e.e.NodeEnvironment ] [master_hostname.domain] using [1] data paths, mounts [[/ (rootfs)]], net usable_space [6.3gb], net total_space [16.9gb], spins? [unknown], types [rootfs]
[2017-07-12T15:32:23,437][INFO ][o.e.e.NodeEnvironment ] [master_hostname.domain] heap size [1.9gb], compressed ordinary object pointers [true]
[2017-07-12T15:32:23,520][INFO ][o.e.n.Node ] [master_hostname.domain] node name [master_hostname.domain], node ID [jH94B8oWQTiKrNfu-3eQuA]
[2017-07-12T15:32:23,520][INFO ][o.e.n.Node ] [master_hostname.domain] version[5.4.2], pid[6068], build[929b078/2017-06-15T02:29:28.122Z], OS[Linux/3.10.0-514.el7.x86_64/amd64], JVM[Oracle Corporation/OpenJDK 64-Bit Server VM/1.8.0_102/25.102-b14]
[2017-07-12T15:32:23,521][INFO ][o.e.n.Node ] [master_hostname.domain] JVM arguments [-Xms2g, -Xmx2g, -Djavax.net.ssl.trustStore=/PATH/serverTrustStore.jks, -Djavax.net.ssl.trustAnchors=/PATH/serverTrustStore.jks, -Djavax.net.ssl.keyStore=/PATH/serverKeyStore.jks, -Djavax.net.debug=ssl:handshake, -Dlog4j2.disable.jmx=true, -Djava.security.policy=/PATH/plugin-security.policy, -Des.path.home=/PATH]
[2017-07-12T15:32:34,739][INFO ][c.f.s.SearchGuardPlugin ] Clustername: elk-CwS2.2.1-0705
[2017-07-12T15:32:34,989][INFO ][c.f.s.SearchGuardPlugin ] Node [master_hostname.domain] is a transportClient: false/tribeNode: false/tribeNodeClient: false
[2017-07-12T15:32:35,101][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of java.lang.ClassNotFoundException: io.netty.internal.tcnative.SSL
[2017-07-12T15:32:35,102][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_102
[2017-07-12T15:32:35,102][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation
[2017-07-12T15:32:35,102][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8
[2017-07-12T15:32:35,102][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation
[2017-07-12T15:32:35,102][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification
[2017-07-12T15:32:35,102][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: OpenJDK 64-Bit Server VM
[2017-07-12T15:32:35,102][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation
[2017-07-12T15:32:35,102][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8
[2017-07-12T15:32:35,102][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation
[2017-07-12T15:32:35,103][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification
[2017-07-12T15:32:35,103][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux
[2017-07-12T15:32:35,103][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64
[2017-07-12T15:32:35,103][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.el7.x86_64
[2017-07-12T15:32:36,835][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 82 ciphers for https [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
[2017-07-12T15:32:36,875][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 82 ciphers for transport [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
[2017-07-12T15:32:36,877][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is /PATH/integration/elk/conf/elasticsearch/, from there the key- and truststore files are resolved relatively
[2017-07-12T15:32:36,885][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases
[2017-07-12T15:32:36,885][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias cn=hostname.domain: is a certificate entry?false/is a key entry?true
[2017-07-12T15:32:36,886][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias cn=hostname.domain: chain len 3
[2017-07-12T15:32:36,886][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=hostname.domain of type -1 → false
[2017-07-12T15:32:36,888][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ORGANIZATION Canada Signing CA, OU=ORGANIZATION Canada Signing CA, O=ORGANIZATION Canada of type 0 → false
[2017-07-12T15:32:36,889][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ORGANIZATION Canada Root CA, OU=ORGANIZATION Canada Root CA, O=ORGANIZATION Canada of type 2147483647 → true
[2017-07-12T15:32:36,889][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias cn=hostname.domain: single cert CN=hostname.domain of type -1 → false
[2017-07-12T15:32:36,889][WARN ][c.f.s.s.u.SSLCertificateHelper] Certificate chain for alias cn=hostname.domain contains a root certificate
[2017-07-12T15:32:36,890][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases
[2017-07-12T15:32:36,890][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias cn=hostname.domain: is a certificate entry?false/is a key entry?true
[2017-07-12T15:32:36,891][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias cn=hostname.domain: chain len 3
[2017-07-12T15:32:36,983][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=hostname.domain of type -1 → false
[2017-07-12T15:32:36,983][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ORGANIZATION Canada Signing CA, OU=ORGANIZATION Canada Signing CA, O=ORGANIZATION Canada of type 0 → false
[2017-07-12T15:32:36,983][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ORGANIZATION Canada Root CA, OU=ORGANIZATION Canada Root CA, O=ORGANIZATION Canada of type 2147483647 → true
[2017-07-12T15:32:36,983][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias cn=hostname.domain: single cert CN=hostname.domain of type -1 → false
[2017-07-12T15:32:36,996][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases
[2017-07-12T15:32:36,996][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias root-ca-chain: is a certificate entry?true/is a key entry?false
[2017-07-12T15:32:36,996][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias root-ca-chain: single cert CN=ORGANIZATION Canada Root CA, OU=ORGANIZATION Canada Root CA, O=ORGANIZATION Canada of type 2147483647 → true
[2017-07-12T15:32:37,170][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] HTTPS client auth mode REQUIRE
[2017-07-12T15:32:37,234][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases
[2017-07-12T15:32:37,234][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias cn=hostname.domain: is a certificate entry?false/is a key entry?true
[2017-07-12T15:32:37,234][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias cn=hostname.domain: chain len 3
[2017-07-12T15:32:37,234][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=hostname.domain of type -1 → false
[2017-07-12T15:32:37,234][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ORGANIZATION Canada Signing CA, OU=ORGANIZATION Canada Signing CA, O=ORGANIZATION Canada of type 0 → false
[2017-07-12T15:32:37,235][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ORGANIZATION Canada Root CA, OU=ORGANIZATION Canada Root CA, O=ORGANIZATION Canada of type 2147483647 → true
[2017-07-12T15:32:37,235][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias cn=hostname.domain: single cert CN=hostname.domain of type -1 → false
[2017-07-12T15:32:37,235][WARN ][c.f.s.s.u.SSLCertificateHelper] Certificate chain for alias cn=hostname.domain contains a root certificate
[2017-07-12T15:32:37,235][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases
[2017-07-12T15:32:37,235][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias cn=hostname.domain: is a certificate entry?false/is a key entry?true
[2017-07-12T15:32:37,235][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias cn=hostname.domain: chain len 3
[2017-07-12T15:32:37,235][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=hostname.domain of type -1 → false
[2017-07-12T15:32:37,235][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ORGANIZATION Canada Signing CA, OU=ORGANIZATION Canada Signing CA, O=ORGANIZATION Canada of type 0 → false
[2017-07-12T15:32:37,236][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ORGANIZATION Canada Root CA, OU=ORGANIZATION Canada Root CA, O=ORGANIZATION Canada of type 2147483647 → true
[2017-07-12T15:32:37,236][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias cn=hostname.domain: single cert CN=hostname.domain of type -1 → false
[2017-07-12T15:32:37,237][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases
[2017-07-12T15:32:37,237][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias root-ca-chain: is a certificate entry?true/is a key entry?false
[2017-07-12T15:32:37,237][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias root-ca-chain: single cert CN=ORGANIZATION Canada Root CA, OU=ORGANIZATION Canada Root CA, O=ORGANIZATION Canada of type 2147483647 → true
[2017-07-12T15:32:37,245][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportClientProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]
[2017-07-12T15:32:37,245][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportServerProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]
[2017-07-12T15:32:37,246][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTPProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]
[2017-07-12T15:32:37,246][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2]
[2017-07-12T15:32:37,246][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2]
[2017-07-12T15:32:37,249][INFO ][o.e.p.PluginsService ] [master_hostname.domain] loaded module [aggs-matrix-stats]
[2017-07-12T15:32:37,249][INFO ][o.e.p.PluginsService ] [master_hostname.domain] loaded module [ingest-common]
[2017-07-12T15:32:37,249][INFO ][o.e.p.PluginsService ] [master_hostname.domain] loaded module [lang-expression]
[2017-07-12T15:32:37,249][INFO ][o.e.p.PluginsService ] [master_hostname.domain] loaded module [lang-groovy]
[2017-07-12T15:32:37,249][INFO ][o.e.p.PluginsService ] [master_hostname.domain] loaded module [lang-mustache]
[2017-07-12T15:32:37,249][INFO ][o.e.p.PluginsService ] [master_hostname.domain] loaded module [lang-painless]
[2017-07-12T15:32:37,250][INFO ][o.e.p.PluginsService ] [master_hostname.domain] loaded module [percolator]
[2017-07-12T15:32:37,250][INFO ][o.e.p.PluginsService ] [master_hostname.domain] loaded module [reindex]
[2017-07-12T15:32:37,250][INFO ][o.e.p.PluginsService ] [master_hostname.domain] loaded module [transport-netty3]
[2017-07-12T15:32:37,250][INFO ][o.e.p.PluginsService ] [master_hostname.domain] loaded module [transport-netty4]
[2017-07-12T15:32:37,250][INFO ][o.e.p.PluginsService ] [master_hostname.domain] loaded plugin [search-guard-5]
[2017-07-12T15:32:47,316][DEBUG][o.e.a.ActionModule ] Using REST wrapper from plugin com.floragunn.searchguard.SearchGuardPlugin
[2017-07-12T15:32:47,651][INFO ][c.f.s.a.BackendRegistry ] Register EgoAuthenticationBackend()
[2017-07-12T15:32:47,930][INFO ][o.e.d.DiscoveryModule ] [master_hostname.domain] using discovery type [zen]
[2017-07-12T15:32:52,995][INFO ][o.e.n.Node ] [master_hostname.domain] initialized
[2017-07-12T15:32:52,995][INFO ][o.e.n.Node ] [master_hostname.domain] starting …
[2017-07-12T15:32:53,414][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [master_hostname.domain] using profile[default], worker_count[4], port[9301], bind_host[null], publish_host[null], compress[false], connect_timeout[30s], connections_per_node[0/3/6/1/1], receive_predictor[64kb->64kb]
[2017-07-12T15:32:53,420][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [master_hostname.domain] binding server bootstrap to: [XXX.XXX.XXX.XXX]
[2017-07-12T15:32:54,196][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [master_hostname.domain] Bound profile [default] to address {XXX.XXX.XXX.XXX:9301}
[2017-07-12T15:32:54,197][INFO ][o.e.t.TransportService ] [master_hostname.domain] publish_address {XXX.XXX.XXX.XXX:9301}, bound_addresses {XXX.XXX.XXX.XXX:9301}
[2017-07-12T15:32:54,204][INFO ][o.e.b.BootstrapChecks ] [master_hostname.domain] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks
[2017-07-12T15:32:57,992][INFO ][o.e.c.s.ClusterService ] [master_hostname.domain] new_master {master_hostname.domain}{jH94B8oWQTiKrNfu-3eQuA}{aJMQWztPRlmVg5LnNlAvkg}{hostname.domain}{XXX.XXX.XXX.XXX:9301}, reason: zen-disco-elected-as-master ([0] nodes joined)
[2017-07-12T15:32:58,592][INFO ][c.f.s.h.SearchGuardHttpServerTransport] [master_hostname.domain] publish_address {127.0.0.1:9201}, bound_addresses {XXX.XXX.XXX.XXX:9201}
[2017-07-12T15:32:58,646][INFO ][o.e.n.Node ] [master_hostname.domain] started
[2017-07-12T15:33:01,290][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [master_hostname.domain] connected to node [{data_hostname.domain}{2y1AAE8SSB-ZiIeHJNRvTg}{EgseokcITtKt6fEt52FrtA}{hostname.domain}{XXX.XXX.XXX.XXX:9302}]
[2017-07-12T15:33:02,284][INFO ][o.e.g.GatewayService ] [master_hostname.domain] recovered [15] indices into cluster_state
[2017-07-12T15:33:03,195][INFO ][o.e.c.s.ClusterService ] [master_hostname.domain] added {{data_hostname.domain}{2y1AAE8SSB-ZiIeHJNRvTg}{EgseokcITtKt6fEt52FrtA}{hostname.domain}{XXX.XXX.XXX.XXX:9302},}, reason: zen-disco-node-join[{data_hostname.domain}{2y1AAE8SSB-ZiIeHJNRvTg}{EgseokcITtKt6fEt52FrtA}{hostname.domain}{XXX.XXX.XXX.XXX:9302}]
[2017-07-12T15:33:03,212][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [master_hostname.domain] connected to node [{client_hostname.domain}{svr4h2-EQVWWKJdek19CQg}{PjFrAfHxSeOXMtlK07F1dQ}{hostname.domain}{XXX.XXX.XXX.XXX:9300}]
[2017-07-12T15:33:03,502][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [master_hostname.domain] SSL Problem null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431) ~[?:?]
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_102]