Cannot validate certificate for X.X.X.X because it doesn’t contain any IP SANs


(Ihjaz Mohamed) #1

Hi,

I have seen the Note below from https://www.elastic.co/guide/en/beats/filebeat/current/securing-communication-elasticsearch.html

For any given connection, the SSL/TLS certificates must have a subject that matches the value specified for hosts, or the SSL handshake fails. For example, if you specify hosts: ["foobar:9200"], the certificate MUST include foobar in the subject (CN=foobar) or as a subject alternative name (SAN). Make sure the hostname resolves to the correct IP address. If no DNS is available, then you can associate the IP address with your hostname in /etc/hosts (on Unix) or C:\Windows\System32\drivers\etc\hosts (on Windows).

In my case I've configured the filebeat yml file with IP address and the Hostname in the CN of the Logstash server certificate is DNS resolvable to the IP in the filebeat.yml file.
Event then I see the Error "X509: cannot validate certificate for X.X.X.X because it doesn’t contain any IP SANs".

Why is the SSL handshake not doing a DNS resolution to match the CN in the certificate to IP ? Is this a bug in beat's SSL handshake ?


(Adrian Serrano) #2

Hi,

This is how an SSL handshake is supposed to work. Adding a reverse-DNS query for the IP address would pose a security risk.

I suggest you do it the right way and add an entry to your hosts file, as suggested in the documentation. Or, if you are in control of the Elasticsearch certificate, add the IP SAN field so that it can be validated using the IP address.

Otherwise, if you are just testing and don't mind about rendering the security useless, you can set the verification_mode parameter to none. See https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#_literal_verification_mode_literal


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.