DefaultInterClusterRequestEvaluator

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version 5.5.1

  • Used enterprise modules, if any No

  • JVM version and operating system version OpenJDK 1.8.0 144, CentOS 7

  • Search Guard configuration files Standart

  • Elasticsearch log messages on debug level

Elasticsearch cluster by docker + SG. 2 nodes master + data. Names es-master and es-data.

searchguard.authcz.admin_dn:

  • CN=admin, OU=client, O=client, L=Test, C=DE

searchguard.nodes_dn:

In ENV

  • searchguard.ssl.transport.enable_openssl_if_available=true (OpenSSL 1.0.2k-fips + apr.x86_64 1.4.8-3.el7)

  • searchguard.ssl.http.enable_openssl_if_available=true

  • searchguard.ssl.transport.keystore_type=PKCS12

  • searchguard.ssl.transport.keystore_filepath=es-master.p12 (es-data.p12 in es-data node)

  • searchguard.ssl.transport.keystore_password=changeit

  • searchguard.ssl.transport.truststore_type=JKS

  • searchguard.ssl.transport.truststore_filepath=truststore.jks

  • searchguard.ssl.transport.truststore_password=changeit

  • searchguard.ssl.transport.enforce_hostname_verification=false

  • searchguard.ssl.transport.resolve_hostname=false

changes in example.sh (etc/*.conf dont changed)

▎ ./gen_node_cert_openssl.sh “/CN=es-master.example.com/OU=SSL/O=Test/L=Test/C=DE” “es-master.example.com” “es-master” changeit capass

▎ ./gen_node_cert_openssl.sh “/CN=es-data.example.com/OU=SSL/O=Test/L=Test/C=DE” “es-data.example.com” “es-data” changeit capass

When cluster up and changed status from YELLOW to GREEN, es-master node exited with code 0, es-data is working but wait master node.

In TRACE logs i found

elasticsearch1 | [2017-09-20T07:49:20,114][TRACE][c.f.s.t.DefaultInterClusterRequestEvaluator] Treat certificate with principal [CN=es-data.example.com,OU=SSL,O=Test,L=Test,C=DE, CN=es-data.example.com,OU=SSL,O=Test,L=Test,C=DE] NOT as other node because we it does not matches one of [CN=es-data.example.com, OU=SSL, O=Test, L=Test, C=DE, CN=es-master.example.com, OU=SSL, O=Test, L=Test, C=DE]

and

elasticsearch2 | [2017-09-20T07:49:21,160][TRACE][c.f.s.t.DefaultInterClusterRequestEvaluator] Treat certificate with principal [CN=es-master.example.com,OU=SSL,O=Test,L=Test,C=DE, CN=es-master.example.com,OU=SSL,O=Test,L=Test,C=DE] NOT as other node because we it does not matches one of [CN=es-data.example.com, OU=SSL, O=Test, L=Test, C=DE, CN=es-master.example.com, OU=SSL, O=Test, L=Test, C=DE]

why?

ps. sorry for my English

elasticsearch1 | Treat certificate with principal [CN=es-data.example.com,OU=SSL,O=Test,L=Test,C=DE, CN=es-data.example.com,OU=SSL,O=Test,L=Test,C=DE] as other node because of it matches one of [CN=*.example.com,OU=SSL,O=Test,L=Test,C=DE]

lokk at the whitespaces (the string must match strictly but you can also use a wildcard (*) or regex here)

···

Am 20.09.2017 um 14:56 schrieb 4r7ur.l33@gmail.com:

elasticsearch1 | Treat certificate with principal [CN=es-data.example.com,OU=SSL,O=Test,L=Test,C=DE, CN=es-data.example.com,OU=SSL,O=Test,L=Test,C=DE] as other node because of it matches one of [CN=*.example.com,OU=SSL,O=Test,L=Test,C=DE]

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/a56cae69-99f0-4a9d-b8c4-12d08f50a363%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.