DefaultInterClusterRequestEvaluator

When asking questions, please provide the following information:

• Search Guard and Elasticsearch version 5.5.1

• Used enterprise modules, if any No

• JVM version and operating system version OpenJDK 1.8.0 144, CentOS 7

• Search Guard configuration files Standart

• Elasticsearch log messages on debug level

Elasticsearch cluster by docker + SG. 2 nodes master + data. Names es-master and es-data.

searchguard.authcz.admin_dn:

• CN=admin, OU=client, O=client, L=Test, C=DE

searchguard.nodes_dn:

• CN=es-data.example.com, OU=SSL, O=Test, L=Test, C=DE

• CN=es-master.example.com, OU=SSL, O=Test, L=Test, C=DE

In ENV

• searchguard.ssl.transport.enable_openssl_if_available=true (OpenSSL 1.0.2k-fips + apr.x86_64 1.4.8-3.el7)

• searchguard.ssl.http.enable_openssl_if_available=true

• searchguard.ssl.transport.keystore_type=PKCS12

• searchguard.ssl.transport.keystore_filepath=es-master.p12 (es-data.p12 in es-data node)

• searchguard.ssl.transport.keystore_password=changeit

• searchguard.ssl.transport.truststore_type=JKS

• searchguard.ssl.transport.truststore_filepath=truststore.jks

• searchguard.ssl.transport.truststore_password=changeit

• searchguard.ssl.transport.enforce_hostname_verification=false

• searchguard.ssl.transport.resolve_hostname=false

changes in example.sh (etc/*.conf dont changed)

▎ ./gen_node_cert_openssl.sh “/CN=es-master.example.com/OU=SSL/O=Test/L=Test/C=DE” “es-master.example.com” “es-master” changeit capass

▎ ./gen_node_cert_openssl.sh “/CN=es-data.example.com/OU=SSL/O=Test/L=Test/C=DE” “es-data.example.com” “es-data” changeit capass

When cluster up and changed status from YELLOW to GREEN, es-master node exited with code 0, es-data is working but wait master node.

In TRACE logs i found

elasticsearch1 | [2017-09-20T07:49:20,114][TRACE][c.f.s.t.DefaultInterClusterRequestEvaluator] Treat certificate with principal [CN=es-data.example.com,OU=SSL,O=Test,L=Test,C=DE, CN=es-data.example.com,OU=SSL,O=Test,L=Test,C=DE] NOT as other node because we it does not matches one of [CN=es-data.example.com, OU=SSL, O=Test, L=Test, C=DE, CN=es-master.example.com, OU=SSL, O=Test, L=Test, C=DE]

and

elasticsearch2 | [2017-09-20T07:49:21,160][TRACE][c.f.s.t.DefaultInterClusterRequestEvaluator] Treat certificate with principal [CN=es-master.example.com,OU=SSL,O=Test,L=Test,C=DE, CN=es-master.example.com,OU=SSL,O=Test,L=Test,C=DE] NOT as other node because we it does not matches one of [CN=es-data.example.com, OU=SSL, O=Test, L=Test, C=DE, CN=es-master.example.com, OU=SSL, O=Test, L=Test, C=DE]

why?

ps. sorry for my English

elasticsearch1 | Treat certificate with principal [CN=es-data.example.com,OU=SSL,O=Test,L=Test,C=DE, CN=es-data.example.com,OU=SSL,O=Test,L=Test,C=DE] as other node because of it matches one of [CN=*.example.com,OU=SSL,O=Test,L=Test,C=DE]

lokk at the whitespaces (the string must match strictly but you can also use a wildcard (*) or regex here)