Hello,
I do not know where to begin. Maybe first…
Elasticsearch version:
7.8.1
Server OS version:
Centos 8
Kibana version (if relevant):
7.8.1
Browser version (if relevant):
Firefox
Browser OS version (if relevant):
Firefox
Describe the issue:
I cannot configure connection / run generated certificates using sgtlstool.sh scripts.
When enabling shard allocation it receives an error about no DNS resolved. No subject alternative DNS name matching localhost found. I have the correct DNS configured in the certificate. Please verify. I’ve lost several days on this already and can’t manage, every now and then I get new errors with SSL.
Steps to reproduce:
- Elasticsearch starts correctly.
- Trying to run the following command to enable shard allocation:
./sgadmin.sh --enable-shard-allocation -cert /etc/elasticsearch/tools/tools/out/kirk.pem -key /etc/elasticsearch/tools/tools/out/kirk.key -keypass changeit -cacert /etc/elasticsearch/tools/tools/out/root-ca.pem
It receives the following error:
ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching localhost found.
- My certificate is correct, I have specified the private IP address (of my host), and its name.
openssl x509 -noout -subject -in kirk.pem
subject=DC = pl, DC = petty, O = "Petty pl, Inc.", OU = Ops, CN = master-1.elastic.petty.pl
Expected behavior:
Start the cluster properly.
Provide configuration:
elasticsearch/config/elasticsearch.yml
bootstrap.memory_lock: true
#discovery.seed_hosts : []
#cluster.initial_master_nodes : []
cluster.initial_master_nodes:
- master-1
- master-2
cluster.name: elk-1
discovery.seed_hosts:
- master-1:9300
- master-2:9300
- node-1:9300
- node-2:9300
- node-3:9300
http.port: 9200
transport.tcp.port: 9300
network.host: 0.0.0.0
node.data: true
node.master: true
xpack.security.enabled: false
xpack.monitoring.enabled: false
xpack.security.transport.ssl.enabled: false
node.name: master-1
#SSL TRANSPORT
searchguard.enterprise_modules_enabled: false
searchguard.ssl.transport.pemcert_filepath: tools/tools/out/master-1.pem
searchguard.ssl.transport.pemkey_filepath: tools/tools/out/master-1.key
searchguard.ssl.transport.pemkey_password: changeit
searchguard.ssl.transport.pemtrustedcas_filepath: tools/tools/out/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: no
searchguard.restapi.roles_enabled: ["SGS_ALL_ACCESS"]
#searchguard.ssl.http.enabled: true
#searchguard.ssl.http.pemcert_filepath: tools/tools/out/master-1_http.pem
#searchguard.ssl.http.pemkey_filepath: tools/tools/out/master-1_http.key
#searchguard.ssl.http.pemtrustedcas_filepath: tools/tools/out/root-ca.pem
#searchguard.nodes_dn:
# - CN=node-1.elastic.petty.pl,OU=SSL,O=Petty,L=Lodz, C=PL
# - CN=node-2.elastic.petty.pl,OU=SSL,O=Petty,L=Lodz, C=PL
# - CN=node-3.elastic.petty.pl,OU=SSL,O=Petty,L=Lodz, C=PL
#searchguard.authcz.admin_dn:
# - "CN=master-1.elastic.petty.pl,OU=client,O=client,L=Test,C=DE"
#################################### Paths ####################################
# Path to directory containing configuration (this file and logging.yml):
path.data: /data/elasticsearch/data
path.logs: /data/elasticsearch/logs
elasticsearch/plugins/search-guard-7/sgconfig/sg_config.yml (DEFLAUT)
kibana/config/kibana.yml (if relevant)
Provide logs:
Elasticsearch
ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching localhost found.
Kibana (if relevant)
Screenshots (if relevant):
Errors in browser console (if relevant):
Additional data:
My configuration to generate SSL:
# Specify the nodes of your ES cluster here
#
nodes:
- name: master-1
dn: CN=master-1.elastic.petty.pl,OU=Ops,O=petty pl, Inc.,DC=petty,DC=en
dns: master-1.elastic.petty.pl
ip: 10.10.10.27
- name: node-1
dn: CN=node-1.elastic.petty.pl,OU=Ops,O=petty pl, Inc.,DC=petty,DC=en
dns: node-1.elastic.petty.pl
ip: 10.10.10.28
###
### Clients
###
#
# Specify the clients that shall access your ES cluster with certificate authentication here
#
# At least one client must be an admin user (i.e., a super-user). Admin users can
# be specified with the attribute admin: true
#
clients:
- name: spock
dn: CN=spock.example.com,OU=Ops,O=Example Com, Inc.,DC=example,DC=com
- name: kirk
dn: CN=master-1.elastic.petty.pl,OU=Ops,O=petty pl, Inc.,DC=petty,DC=pl
admin: true
A few questions.
- Do my nodes need to have https ssl configured to connect to each other?
- Do I need to configure https ssl to make the connection work?
- If I don’t use -keypass changeit then I get bad SSL information…
- does the IP address in the host have to be public?
my /etc/hosts/
10.10.10.27 master-1.elastic.petty.pl master-1
10.10.10.28 node-1.elastic.petty.pl node-1
10.10.10.29 node-2.elastic.petty.pl node-2
10.10.10.30 node-3.elastic.petty.pl node-3
10.10.10.31 kibana.elastic.petty.pl kibana
10.10.10.32 logstash.elastic.petty.pl logstash
10.10.10.33 master-2.elastic.petty.pl master-2