Adding Site Alternate Name (SAN) to the docker run command

Mark_Parrish · September 29, 2022, 7:48pm

I used the following command to bring up a elasticsearch node. It is straight out of the instructions (link).

docker run -d /
   --name es01 /
   --net elastic /
   -p 9200:9200 -p 9300:9300 /
   -it /  
   docker.elastic.co/elasticsearch/elasticsearch:8.4.2

I then copy the http_ca.crt using -

 docker cp es01:/usr/share/elasticsearch/config/certs/http_ca.crt .

And I can get a response form both inside the VM and on the host using -

curl --cacert http_ca.crt -u elastic https://localhost:9200

But I can't get the same from outside of the host. The host name is es-search. So when I run the same curl command from outside, I get the following error message -

*   Trying 10.1.10.139:9200...
* Connected to es-search (10.1.10.139) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: http_ca.crt
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=fedca731229b
*  start date: Sep 26 14:26:45 2022 GMT
*  expire date: Sep 25 14:26:45 2024 GMT
*  subjectAltName does not match es-search
* SSL: no alternative certificate subject name matches target host name 'es-search'
* Closing connection 0
curl: (60) SSL: no alternative certificate subject name matches target host name 'es-search'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I'm thinking that I need to have a instances.yml file to have the security setup automatically and include the es-search name. elasticsearch-certgen | Elasticsearch Guide [8.4] | Elastic

Any guidance or hints would be greatly appreciated.

Mark

stephenb · October 1, 2022, 3:36pm

Yes you will need an instances file..and include that IP in it and or perhaps the DNS / Hostname of the hosting server then make that available and then have it run the right command (not the docker expert here) ... not sure how to inject / change that process...

What I would do .... look further down the page and use docker-compose here

You could put that inline in the compose file

        if [ ! -f config/certs/certs.zip ]; then
          echo "Creating certs";
          echo -ne \
          "instances:\n"\
          "  - name: es01\n"\
          "    dns:\n"\
          "      - es01\n"\
          "      - localhost\n"\
          "      - myhost\n"\<!----- Maybe add this too 
          "    ip:\n"\
          "      - 127.0.0.1\n"\
          "      - 10.1.10.139\n"\ <!----- HERE

system · October 29, 2022, 3:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.