How to add nodes to an existing cluster

I’m attempting to add nodes to a running ODFE cluster.
So far I’ve:

  • Installed ODFE on the new node
  • Created certificates and sent them to this machine
  • Configured the previously running node’s elasticsearch.yml to have discovery.seed_hosts and cluster.initial_master_nodes to include the new node.
  • I’ve configured the same on the new node (with the information for the previous node).

Once I restart the new ODFE node’s API I get: Open Distro Security not initialized.
When I try to run on the older node nothing seems out of the ordinary and in the new one it will state:

Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Cannot retrieve cluster state due to: null. This is not an error, will keep on trying ...
  Root cause: MasterNotDiscoveredException[null] (org.elasticsearch.discovery.MasterNotDiscoveredException/org.elasticsearch.discovery.MasterNotDiscoveredException)
   * Try running with -icl (but no -cl) and -nhnv (If that works you need to check your clustername as well as hostnames in your TLS certificates)
   * Make sure that your keystore or PEM certificate is a client certificate (not a node certificate) and configured properly in elasticsearch.yml
   * If this is not working, try running with --diagnose and see diagnose trace log file)
   * Add --accept-red-cluster to allow securityadmin to operate on a red cluster.

Is there any documentation on how to add nodes to existing clusters that have security enabled?

@poshpotoo What version of odfe are you running?
There is no need to re-run, if the configuration is correct the node will be added to cluster and security index updated with relevant details.
Please also note that initial_master_nodes don’t need to be updated if you already have a cluster, only needed when new cluster is being formed.
Can you confirm that the certificate and key are signed by the same CA as the rest of the certs in the cluster?
If so, can you try to disable below and see if you get any error
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.transport.resolve_hostname: false