Problem converting to Search Guard FLX

I am trying to covert our 7.17.9 Elasticsearch installations from the original Search Guard to the new Search Guard FLEX. Before when we started Elasticsearch, we would use the command:

/usr/share/elasticsearch/plugins/search-guard-7/tools/ -cd /config/sg/ -cacert /config/certs/cacert.pem -cert /config/certs/esadmin.pem -key /config/certs/esadmin.key -keypass <password> -icl -nhnv -h

The equivalent command in FLEX produces an error:

/usr/share/elasticsearch/plugins/search-guard-flx/sgctl-1.1.0/ connect --ca-cert /config/certs/cacert.pem --cert /config/certs/esadmin.pem --key /config/certs/esadmin.key --key-pass <password> "" Certificate for <> doesn't match any of the subject alternative names: []

If I add “elasticsearch-” to the beginning of the node name, that is definitely not correct:

/usr/share/elasticsearch/plugins/search-guard-flx/sgctl-1.1.0/ connect --ca-cert /config/certs/cacert.pem --cert /config/certs/esadmin.pem --key /config/certs/esadmin.key --key-pass <password> "" Name or service not known

What do I to get this to work with my current certificates?

Elasticsearch version:

@silentfilm Could you share SAN and CN of the node certificate?

Hi @silentfilm

Could you also try to run the command below with an insecure connection? The insecure connection means that hostname verification would not be enforced, therefore the discrepancies between the actual hostname and the hostname(s) contained in their certs would be ignored.

/usr/share/elasticsearch/plugins/search-guard-flx/sgctl-1.1.0/ connect --insecure --ca-cert /config/certs/cacert.pem --cert /config/certs/esadmin.pem --key /config/certs/esadmin.key --key-pass <password> ""

Here is the SAN from my certificate:

        X509v3 extensions:
            X509v3 Subject Alternative Name:

And the CN:

So is the issue that I need another SAN DNS entry with the esnode name?

I’ll try the insecure command later today.

Yes, you should add matching address to the SAN of the ES node certificate.

However, you could trick it by adding an entry in /etc/hosts, where you execute the script, with matching the certificate’s SAN entry “” and ES’s IP address. That way you could use that FQDN in the command.

Sorry for the late reply, but I was pulled off this project for a week.

As suggested by Eugene7, there must be a SAN in the certificate that matches the CN exactly. Once the additional SAN matched the node name, not the hostname running Elasticsearch, the issue cleared up.

        X509v3 extensions:
            X509v3 Subject Alternative Name:
root@elasticsearch-aln-nbadev4:/usr/share/elasticsearch# ./sgctl-1.1.0/ connect  --ca-cert /config/certs/cacert.pem --cert /config/certs/esadmin.pem --key /config/certs/esadmin.key --key-pass <password>
Successfully connected to cluster nba_elasticsearch_cluster ( as user CN=esadmin,OU=nBA,O=Company,L=City,ST=MA,C=US

The --key-pass is not necessary anymore, and can be dropped.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.