I am trying to covert our 7.17.9 Elasticsearch installations from the original Search Guard to the new Search Guard FLEX. Before when we started Elasticsearch, we would use the command:
/usr/share/elasticsearch/plugins/search-guard-flx/sgctl-1.1.0/sgctl.sh connect elasticsearch-aln-nbadev4.labs.server.com --ca-cert /config/certs/cacert.pem --cert /config/certs/esadmin.pem --key /config/certs/esadmin.key --key-pass <password> ""
javax.net.ssl.SSLPeerUnverifiedException: Certificate for <elasticsearch-aln-nbadev4.labs.server.com> doesn't match any of the subject alternative names: [aln-nbadev4.labs.server.com]
If I add “elasticsearch-” to the beginning of the node name, that is definitely not correct:
/usr/share/elasticsearch/plugins/search-guard-flx/sgctl-1.1.0/sgctl.sh connect elasticsearch-elasticsearch-aln-nbadev4.labs.server.com --ca-cert /config/certs/cacert.pem --cert /config/certs/esadmin.pem --key /config/certs/esadmin.key --key-pass <password> ""
java.net.UnknownHostException: elasticsearch-elasticsearch-aln-nbadev4.labs.server.com: Name or service not known
What do I to get this to work with my current certificates?
Could you also try to run the command below with an insecure connection? The insecure connection means that hostname verification would not be enforced, therefore the discrepancies between the actual hostname and the hostname(s) contained in their certs would be ignored.
Yes, you should add matching address to the SAN of the ES node certificate.
However, you could trick it by adding an entry in /etc/hosts, where you execute the sgctl.sh script, with matching the certificate’s SAN entry “aln-nbadev4.labs.server.com” and ES’s IP address. That way you could use that FQDN in the command.
Sorry for the late reply, but I was pulled off this project for a week.
As suggested by Eugene7, there must be a SAN in the certificate that matches the CN exactly. Once the additional SAN matched the node name, not the hostname running Elasticsearch, the issue cleared up.
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:aln-nbadev4.labs.server.com, DNS:esnode-aln-nbadev4.labs.server.com
root@elasticsearch-aln-nbadev4:/usr/share/elasticsearch# ./sgctl-1.1.0/sgctl.sh connect aln-nbadev4.labs.server.com --ca-cert /config/certs/cacert.pem --cert /config/certs/esadmin.pem --key /config/certs/esadmin.key --key-pass <password>
Successfully connected to cluster nba_elasticsearch_cluster (aln-nbadev4.labs.server.com) as user CN=esadmin,OU=nBA,O=Company,L=City,ST=MA,C=US
The --key-pass is not necessary anymore, and can be dropped.