Problem converting to Search Guard FLX

I am trying to covert our 7.17.9 Elasticsearch installations from the original Search Guard to the new Search Guard FLEX. Before when we started Elasticsearch, we would use the command:

/usr/share/elasticsearch/plugins/search-guard-7/tools/sgadmin.sh -cd /config/sg/ -cacert /config/certs/cacert.pem -cert /config/certs/esadmin.pem -key /config/certs/esadmin.key -keypass <password> -icl -nhnv -h aln-nbadev4.labs.server.com

The equivalent command in FLEX produces an error:

/usr/share/elasticsearch/plugins/search-guard-flx/sgctl-1.1.0/sgctl.sh connect elasticsearch-aln-nbadev4.labs.server.com --ca-cert /config/certs/cacert.pem --cert /config/certs/esadmin.pem --key /config/certs/esadmin.key --key-pass <password> ""
javax.net.ssl.SSLPeerUnverifiedException: Certificate for <elasticsearch-aln-nbadev4.labs.server.com> doesn't match any of the subject alternative names: [aln-nbadev4.labs.server.com]

If I add “elasticsearch-” to the beginning of the node name, that is definitely not correct:

/usr/share/elasticsearch/plugins/search-guard-flx/sgctl-1.1.0/sgctl.sh connect elasticsearch-elasticsearch-aln-nbadev4.labs.server.com --ca-cert /config/certs/cacert.pem --cert /config/certs/esadmin.pem --key /config/certs/esadmin.key --key-pass <password> ""
java.net.UnknownHostException: elasticsearch-elasticsearch-aln-nbadev4.labs.server.com: Name or service not known

What do I to get this to work with my current certificates?

Elasticsearch version:
7.17.9

@silentfilm Could you share SAN and CN of the elasticsearch-aln-nbadev4.labs.server.com node certificate?

Hi @silentfilm

Could you also try to run the command below with an insecure connection? The insecure connection means that hostname verification would not be enforced, therefore the discrepancies between the actual hostname and the hostname(s) contained in their certs would be ignored.

/usr/share/elasticsearch/plugins/search-guard-flx/sgctl-1.1.0/sgctl.sh connect elasticsearch-aln-nbadev4.labs.server.com --insecure --ca-cert /config/certs/cacert.pem --cert /config/certs/esadmin.pem --key /config/certs/esadmin.key --key-pass <password> ""

Here is the SAN from my certificate:

        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:aln-nbadev4.labs.server.com

And the CN:

CN=esnode-aln-nbadev4.labs.server.com

So is the issue that I need another SAN DNS entry with the esnode name?

I’ll try the insecure command later today.

Yes, you should add matching address to the SAN of the ES node certificate.

However, you could trick it by adding an entry in /etc/hosts, where you execute the sgctl.sh script, with matching the certificate’s SAN entry “aln-nbadev4.labs.server.com” and ES’s IP address. That way you could use that FQDN in the command.

Sorry for the late reply, but I was pulled off this project for a week.

As suggested by Eugene7, there must be a SAN in the certificate that matches the CN exactly. Once the additional SAN matched the node name, not the hostname running Elasticsearch, the issue cleared up.

        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:aln-nbadev4.labs.server.com, DNS:esnode-aln-nbadev4.labs.server.com

root@elasticsearch-aln-nbadev4:/usr/share/elasticsearch# ./sgctl-1.1.0/sgctl.sh connect aln-nbadev4.labs.server.com  --ca-cert /config/certs/cacert.pem --cert /config/certs/esadmin.pem --key /config/certs/esadmin.key --key-pass <password>
Successfully connected to cluster nba_elasticsearch_cluster (aln-nbadev4.labs.server.com) as user CN=esadmin,OU=nBA,O=Company,L=City,ST=MA,C=US

The --key-pass is not necessary anymore, and can be dropped.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.