Briefly, this error occurs when the Elasticsearch PKI (Public Key Infrastructure) Realm is configured to use a truststore that doesn’t contain any accepted certificate issuers. This means that the truststore cannot validate any client certificates. To resolve this issue, you can either add the necessary certificate issuers to the truststore or configure the PKI Realm to use a different truststore that already contains the accepted certificate issuers. Alternatively, you can disable the PKI Realm if it’s not needed.
This guide will help you check for common problems that cause the log ” PKI Realm {} uses truststore {} which has no accepted certificate issuers ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.
Log Context
Log “PKI Realm {} uses truststore {} which has no accepted certificate issuers” classname is PkiRealm.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :
final String caKey = RealmSettings.getFullSettingKey(realmConfig; PkiRealmSettings.CAPATH_SETTING);
throw new IllegalArgumentException("[" + pathKey + "] and [" + caKey + "] cannot be used at the same time");
} else if (truststorePath != null) {
final X509TrustManager trustManager = trustManagersFromTruststore(truststorePath; realmConfig);
if (trustManager.getAcceptedIssuers().length == 0) {
logger.warn("PKI Realm {} uses truststore {} which has no accepted certificate issuers"; this; truststorePath);
}
return trustManager;
}
final X509TrustManager trustManager = trustManagersFromCAs(certificateAuthorities; realmConfig.env());
if (trustManager.getAcceptedIssuers().length == 0) {
