Elasticsearch version 6.5.4
Kibana Version 6.5.4
Search Guard version 6:6.5.4-24.1
Please suggest me how to setup Searchguard with Load balancer DNS to access Elastic cluster from Client machines to access using client certs.
i have Elasticsearch setup with 4 node cluster and it has Azure Loadbalancer infront of 4 nodes, i have DNS name assigned to Loadbalncer IP so that from client machines will connect through Loadbalancer DNS on port 9200 (http://elastic-nprod-example.net:9200), even if i re-provision Elastic Cluster i just need to update DNS with new Loadbalancer ip, no need to update anything on Client machines.
Right now am trying to install searchguard on all the nodes, i am using Offline TLS tool to generate certs for nodes by following below documentation.
TLS tool: https://search.maven.org/search?q=a:search-guard-tlstool
Once certs generated for all the nodes and initialize sgadmin then am able to access nodes using certs or user/Password from client machines by hitting either node DNS or node ip on port 9200.
i have updated LoadBalancer ip in sg_config.yml to allow access.
i want to access Elastic Cluster all the nodes using certs by hitting Elastic Load balancer DNS not Node DNS, so that tomorrow even one nodes dies others will available to get the logs from Client machines.
i have tried to generate certs in multiple ways with offline TLS tool.
- adding Loadbalncer DNS and IP with both nodes section in tls_config.yml
nodes:
- name: elastic1
dn: CN=elastic1.example.net,OU=Ops,O=example EX, Ltd.,DC=example,DC=net
dns:
ip:
-
10.10.10.10
-
10.10.10.9
-
name: elastic2
dn: CN=elastic2.example.net,OU=Ops,O=example EX, Ltd.,DC=example,DC=net
dns:
ip:
-
10.10.10.11
-
10.10.10.9
This method seems to be working but not always, sometimes when i hit elastic cluster using Loadbalncer DNS on port 443:9200 using certs it’s complaining SSL(curl: (51) Unable to communicate securely with peer: requested domain name does not match the server’s certificate.)
- Adding Loadbalancer DNS in wildcard entry.
nodesDn:
#- “CN=*.example.com,OU=Ops,O=example Com\, Inc.,DC=example,DC=net”
- ‘CN=elastic-nonprod.example.net,OU=Ops,O=example EX, Ltd.,DC=example,DC=net’
- ‘CN=*.example.com,OU=SSL,O=Test,L=Test,C=DE’
- ‘CN=elk-devcluster*’
- ‘/CN=.*regex/’
i have added Loadbalncer IP into sg_config.yml in both scenarions, this one seems not working, am not able to access cluster on 443 using client certs with Loadbalancer DNS.
Thanks in advance for help!!!