However, once I re-enabled SG, the nodes do not see each other again and there is some certificate complain in both logs:
···
===============
[2018-03-29T11:46:40,821][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [md02] SSL Problem General SSLEngine p
roblem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529) ~[?:?]
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_162]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281) ~[netty-handler-4.1.16.F
inal.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1215) ~[netty-handler-4.1.16.Final.jar:4.1.16
.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) ~[netty-handler-4.1.16.Fin
al.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[netty-handler-4.1.16.Final.jar:4.1.16
.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java
:489) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-
4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec
-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:
-
[netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:
-
[netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:34
-
[netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [n
etty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:
-
[netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:
-
[netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-tran
sport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [net
ty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.
Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4
.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16
.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.1
6.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-
common-4.1.16.Final.jar:4.1.16.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_162]
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[?:?]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330) ~[?:?]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) ~[?:?]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) ~[?:?]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_162]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) ~[?:?]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1364) ~[?:?]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1272) ~[?:?]
... 19 more
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching md01 found.
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:214) ~[?:?]
at sun.security.util.HostnameChecker.match(HostnameChecker.java:96) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:?]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601) ~[?:?]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_162]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) ~[?:?]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1364) ~[?:?]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1272) ~[?:?]
... 19 more
[2018-03-29T11:46:40,835][DEBUG][o.e.a.a.i.c.TransportCreateIndexAction] [md02] no known master node, schedulin
g a retry
[2018-03-29T11:46:41,584][DEBUG][c.f.s.s.t.S.ClientSSLHandler] Hostname of peer is hd03 (hd03/hd03) with hostna
meVerificationResovleHostName: true
[2018-03-29T11:46:41,584][DEBUG][c.f.s.s.t.S.ClientSSLHandler] Hostname of peer is md01 (md01/md01) with hostna
meVerificationResovleHostName: true
[2018-03-29T11:46:41,583][DEBUG][c.f.s.s.t.S.ClientSSLHandler] Hostname of peer is md03 (md03/md03) with hostna
meVerificationResovleHostName: true
[2018-03-29T11:46:41,585][DEBUG][c.f.s.s.t.S.ClientSSLHandler] Hostname of peer is hd04 (hd04/hd04) with hostna
meVerificationResovleHostName: true
[2018-03-29T11:46:41,585][DEBUG][c.f.s.s.t.S.ClientSSLHandler] Hostname of peer is hd01 (hd01/hd01) with hostna
meVerificationResovleHostName: true
[2018-03-29T11:46:41,586][DEBUG][c.f.s.s.t.S.ClientSSLHandler] Hostname of peer is hd02 (hd02/hd02) with hostna
meVerificationResovleHostName: true
[2018-03-29T11:46:41,830][DEBUG][o.e.a.a.i.c.TransportCreateIndexAction] [md02] no known master node, schedulin
g a retry
===============
On Thursday, March 29, 2018 at 11:42:03 AM UTC-5, iv…@uchicago.edu wrote:
OK this is what allows nodes to be discovered:
discovery.zen.ping.unicast.hosts: [“md01”, “md02”, “md03”, “hd01”, “hd02”, “hd03”, “hd04”]
On Thursday, March 29, 2018 at 11:28:27 AM UTC-5, iv…@uchicago.edu wrote:
Do I understand correctly that each node can have its own storage, that it does not have to be shared and that data directory can be the same on different nodes but pointing to different physical storage? Nodes learn about each other through network only and not through what is stored on disk?
Without SG, the only thing that is needed for nodes to find each other is to have the same cluster.name?
On Thursday, March 29, 2018 at 11:21:52 AM UTC-5, iv…@uchicago.edu wrote:
Perhaps, I should delete SG index, start both nodes, see if they can find each other without SG and only then run sgadmin?
Do I understand correctly that deleting SG index would disable SG but sg entries in configuration file will not confuse ES?
I tried deleting SG index and putting
searchguard.disabled: true
into elasticsearch.yml on both nodes.
The nodes still do not see each other.
What can be a problem?
There are several interfaces on each node.
Perhaps, I need to explicitly say somehow to ES which interface to use for internode communication?
Thank you,
Igor