Right tls config when using helm chart on kubernetes

Hello.

I want to install opendistro-es on kubernetes using helm chart.
helm chart is https://github.com/opendistro-for-elasticsearch/opendistro-build/tree/master/helm/opendistro-es.

Here is my values.yaml

  config:
    opendistro_security.ssl.transport.enabled: true
    opendistro_security.ssl.transport.keystore_type: PKCS12
    opendistro_security.ssl.transport.keystore_filepath: elk-transport-key.pem
    opendistro_security.ssl.transport.truststore_type: PKCS12
    opendistro_security.ssl.transport.truststore_filepath: elk-transport-crt.pem
    opendistro_security.ssl.transport.enforce_hostname_verification: false

    opendistro_security.ssl.http.enabled: true
    opendistro_security.ssl.http.keystore_type: PKCS12
    opendistro_security.ssl.http.keystore_filepath: elk-transport-key.pem
    opendistro_security.ssl.http.truststore_type: PKCS12
    opendistro_security.ssl.http.truststore_filepath: elk-transport-crt.pem
    opendistro_security.ssl.http.clientauth_mode: NONE

I create keystore and truststore file like below.

docker run --rm -v `pwd`:/cacert docker.elastic.co/elasticsearch/elasticsearch:7.3.2 /bin/sh -c " \
elasticsearch-certutil ca --days 3650 --out /cacert/elastic-stack-ca.p12 --pass changeit && \
elasticsearch-certutil cert --ca /cacert/elastic-stack-ca.p12 --ca-pass changeit --days 3650 --out 
/cacert/elastic-certificates.p12 --pass changeit \
"

And I create secret like below.

kubectl create secret generic elastic-certificates \
  --from-file=elk-transport-crt.pem=elastic-certificates.p12 \
  --from-file=elk-transport-key.pem=elastic-certificates.p12 \
  --from-file=elk-transport-root-ca.pem=elastic-certificates.p12 \
  -n opendistro-es-stage

after helm install, there’s error.
logs is here.

[2020-02-10T06:20:44,552][INFO ][o.e.h.AbstractHttpServerTransport] [opendistro-es-stage-master-0] publish_address {10.244.7.207:9200}, bound_addresses {0.0.0.0:9200}
[2020-02-10T06:20:44,553][INFO ][o.e.n.Node               ] [opendistro-es-stage-master-0] started
[2020-02-10T06:20:44,553][INFO ][c.a.o.s.OpenDistroSecurityPlugin] [opendistro-es-stage-master-0] Node started
[2020-02-10T06:20:44,553][INFO ][c.a.o.s.c.ConfigurationRepository] [opendistro-es-stage-master-0] Check if .opendistro_security index exists ...
[2020-02-10T06:20:44,553][INFO ][c.a.o.s.c.ConfigurationRepository] [opendistro-es-stage-master-0] .opendistro_security index does not exist yet, so no need to load config on node startup. Use securityadmin to initialize cluster
[2020-02-10T06:20:44,554][INFO ][c.a.o.s.OpenDistroSecurityPlugin] [opendistro-es-stage-master-0] 4 Open Distro Security modules loaded so far: [Module [type=DLSFLS, implementing class=com.amazon.opendistroforelasticsearch.security.configuration.OpenDistroSecurityFlsDlsIndexSearcherWrapper], Module [type=AUDITLOG, implementing class=com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditLogImpl], Module [type=MULTITENANCY, implementing class=com.amazon.opendistroforelasticsearch.security.configuration.PrivilegesInterceptorImpl], Module [type=REST_MANAGEMENT_API, implementing class=com.amazon.opendistroforelasticsearch.security.dlic.rest.api.OpenDistroSecurityRestApiActions]]
[2020-02-10T06:20:44,554][INFO ][c.a.o.s.c.ConfigurationRepository] [opendistro-es-stage-master-0] Background init thread started. Install default config?: false
[2020-02-10T06:20:44,591][INFO ][o.e.g.GatewayService     ] [opendistro-es-stage-master-0] recovered [0] indices into cluster_state
[2020-02-10T06:20:44,754][ERROR][c.a.o.s.t.OpenDistroSecurityRequestHandler] [opendistro-es-stage-master-0] ElasticsearchException[Illegal parameter in http or transport request found.
This means that one node is trying to connect to another with 
a non-node certificate (no OID or security.nodes_dn incorrect configured) or that someone 
is spoofing requests. Check your TLS certificate setup as described here: See https://opendistro.github.io/for-elasticsearch-docs/docs/troubleshoot/tls/]
[2020-02-10T06:20:45,617][ERROR][c.a.o.s.t.OpenDistroSecurityRequestHandler] [opendistro-es-stage-master-0] ElasticsearchException[Illegal parameter in http or transport request found.
This means that one node is trying to connect to another with 
a non-node certificate (no OID or security.nodes_dn incorrect configured) or that someone 
is spoofing requests. Check your TLS certificate setup as described here: See https://opendistro.github.io/for-elasticsearch-docs/docs/troubleshoot/tls/]

What is the problem and how can I fix this problem?

Thanks,