Add nodes to your cluster

Generate certificates for the two new nodes.

For example, run the following command:

./bin/elasticsearch-certutil cert \
--ca elastic-stack-ca.p12 \ 
--multiple

You are prompted for information about each new node. Specify node-2 and node-3 for the instance names. For the purposes of this tutorial, specify the same IP address (127.0.0.1,::1) and DNS name (localhost) for each node.

You are prompted to enter the password for your CA. You are also prompted to create a password for each certificate.

By default, the command produces a zip file named certificate-bundle.zip, which contains the generated certificates and keys.

Decompress the certificate-bundle.zip file. For example:

unzip certificate-bundle.zip

Archive:  certificate-bundle.zip
   creating: node-2/
  inflating: node-2/node-2.p12
   creating: node-3/
  inflating: node-3/node-3.p12

The certificate-bundle.zip file contains a folder for each of your nodes. Each folder contains a single PKCS#12 keystore that includes a node certificate, node key, and CA certificate.

Specify the name of the cluster and give each node a unique name.

For example, add the following settings to the ES_PATH_CONF/elasticsearch.yml file on the second node:

cluster.name: test-cluster
node.name: node-2

Add the following settings to the ES_PATH_CONF/elasticsearch.yml file on the third node:

cluster.name: test-cluster
node.name: node-3

(Optional) Provide seed addresses to help your nodes discover other nodes with which to form a cluster.

For example, add the following setting in the ES_PATH_CONF/elasticsearch.yml file:

discovery.seed_hosts: ["localhost"]

The default value for this setting is 127.0.0.1, [::1], therefore it isn’t actually required in this tutorial. When you want to form a cluster with nodes on other hosts, however, you must use this setting to provide a list of master-eligible nodes to seed the discovery process. For more information, see Discovery.

On each node, enable TLS for transport communications. You must also configure each node to identify itself using its signed certificate.

For example, add the following settings in the ES_PATH_CONF/elasticsearch.yml file:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: certs/${node.name}.p12 
xpack.security.transport.ssl.truststore.path: certs/${node.name}.p12

On each node, store the password for the PKCS#12 file in the Elasticsearch keystore.

For example, run the following commands:

./bin/elasticsearch-keystore create 
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

On the second node, supply the password that you created for the node-2.p12 file. On the third node, supply the password that you created for the node-3.p12 file.

Start each Elasticsearch node. For example, if you installed Elasticsearch with a .tar.gz package, run the following command from each Elasticsearch directory:

./bin/elasticsearch

See Starting Elasticsearch.

If you encounter errors, you can see some common problems and solutions in Common SSL/TLS exceptions.

Verify that your cluster now contains three nodes.

For example, log into Kibana with the elastic built-in user. Go to Dev Tools > Console and run the cluster health API:

GET _cluster/health

Confirm the number_of_nodes in the response from this API.

You can also use the cat nodes API to identify the master node:

GET _cat/nodes?v

The node that has an asterisk(*) in the master column is the elected master node.