Elasticsearch 6.7
SearchGuard: 6.7.1-24.3, enterprise licensed
Im having no luck adding a new node to my cluster. No matter what combination of nodes_dn I use, the server reports the same error every time the new node tries to do discovery:
[2019-05-07T11:20:42,064][ERROR][c.f.s.t.SearchGuardRequestHandler] [isZPOIE] ElasticsearchException[Illegal parameter in http or transport request found.
This means that one node is trying to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someone is spoofing requests. Check your TLS certificate setup as described here: See http://docs.search-guard.com/latest/troubleshooting-tls]
I would like to just get this working with a wildcard as the nodes_dn but even that does not work.
Master node (works fine by itself) - ktelastic.domain.com
searchguard.ssl.transport.pemcert_filepath: ssl/ktelastic.crt
searchguard.ssl.transport.pemkey_filepath: ssl/ktelastic.key
searchguard.ssl.transport.pemtrustedcas_filepath: ssl/domain.com.chained.crt
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.nodes_dn:
- 'CN=*.domain.com'
New node (fails to join):
discovery.zen.ping.unicast.hosts:
- ktelastic.domain.com
searchguard.ssl.transport.pemcert_filepath: ssl/ktelastic2.crt
searchguard.ssl.transport.pemkey_filepath: ssl/ktelastic2.key
searchguard.ssl.transport.pemtrustedcas_filepath: ssl/domain.com.chained.crt
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
The node certificate ktelastic2.crt has Issuer that looks like:
Subject: CN=ktelastic2.domain.com
Any ideas?