SearchGuard: 6.7.1-24.3, enterprise licensed
Im having no luck adding a new node to my cluster. No matter what combination of nodes_dn I use, the server reports the same error every time the new node tries to do discovery:
[2019-05-07T11:20:42,064][ERROR][c.f.s.t.SearchGuardRequestHandler] [isZPOIE] ElasticsearchException[Illegal parameter in http or transport request found. This means that one node is trying to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someone is spoofing requests. Check your TLS certificate setup as described here: See http://docs.search-guard.com/latest/troubleshooting-tls]
I would like to just get this working with a wildcard as the nodes_dn but even that does not work.
Master node (works fine by itself) - ktelastic.domain.com
searchguard.ssl.transport.pemcert_filepath: ssl/ktelastic.crt searchguard.ssl.transport.pemkey_filepath: ssl/ktelastic.key searchguard.ssl.transport.pemtrustedcas_filepath: ssl/domain.com.chained.crt searchguard.ssl.transport.enforce_hostname_verification: false searchguard.ssl.transport.resolve_hostname: false searchguard.nodes_dn: - 'CN=*.domain.com'
New node (fails to join):
discovery.zen.ping.unicast.hosts: - ktelastic.domain.com searchguard.ssl.transport.pemcert_filepath: ssl/ktelastic2.crt searchguard.ssl.transport.pemkey_filepath: ssl/ktelastic2.key searchguard.ssl.transport.pemtrustedcas_filepath: ssl/domain.com.chained.crt searchguard.ssl.transport.enforce_hostname_verification: false searchguard.ssl.transport.resolve_hostname: false
The node certificate ktelastic2.crt has Issuer that looks like: