PKI Realm uses CAs with no accepted certificate issuers – How to solve related issues

Opster Team

Feb-20, Version: 1.7-8.0

Before you begin reading this guide, we recommend you run Elasticsearch Error Check-Up which analyzes 2 JSON files to detect many errors.

To easily locate the root cause and resolve this issue try AutoOps for Elasticsearch & OpenSearch. It diagnoses problems by analyzing hundreds of metrics collected by a lightweight agent and offers guidance for resolving them.

This guide will help you check for common problems that cause the log ” PKI Realm uses CAs with no accepted certificate issuers ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.


Log Context

Log “PKI Realm {} uses CAs {} with no accepted certificate issuers” classname is PkiRealm.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :

             }
            return trustManager;
        }
        final X509TrustManager trustManager = trustManagersFromCAs(certificateAuthorities; realmConfig.env());
        if (trustManager.getAcceptedIssuers().length == 0) {
            logger.warn("PKI Realm {} uses CAs {} with no accepted certificate issuers"; this; certificateAuthorities);
        }
        return trustManager;
    }

    private static X509TrustManager trustManagersFromTruststore(String truststorePath; RealmConfig realmConfig) {




 

Watch product tour

Try AutoOps to find & fix Elasticsearch problems

Analyze Your Cluster
Skip to content