Cant connect second Elastic node

Hi,

I'm mounting a ELK cluster

  • elastic-node1
  • elastic-node2
  • kibana-node1
    (logstash will created after)

I have one node elastic who's connected to kibana, i set up xpack.security / transport ssl, with elasticnode-1 i created certificates CA and nodes certificates, put on each nodes.

with

bin/elasticsearch-setup-passwords auto -u http://elastic-node1:9200

I created every passwords, im now able to connect to kibana whith this.
kibana have an elasticsearsh with :

node.master: false
node.data: false
node.ingest: false

When i try to put this command :

curl --user elastic -X GET "http://192.168.100.80:9200/?pretty"
Enter host password for user 'elastic':
{
"name" : "elastic-node1",
"cluster_name" : "clusterELK",
"cluster_uuid" : "upgsSlRgTmCAevgyhpfmMg",
"version" : {
"number" : "7.8.1",
"build_flavor" : "default",
"build_type" : "deb",
"build_hash" : "b5ca9c58fb664ca8bf9e4057fc229b3396bf3a89",
"build_date" : "2020-07-21T16:40:44.668009Z",
"build_snapshot" : false,
"lucene_version" : "8.5.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}

It's ok with elastic-node1, i try with elastic-node2 :

curl --user elastic -X GET "http://192.168.100.81:9200/?pretty"
Enter host password for user 'elastic':
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "unable to authenticate user [elastic] for REST request [/?pretty]",
"header" : {
"WWW-Authenticate" : "Basic realm="security" charset="UTF-8""
}
}
],
"type" : "security_exception",
"reason" : "unable to authenticate user [elastic] for REST request [/?pretty]",
"header" : {
"WWW-Authenticate" : "Basic realm="security" charset="UTF-8""
}
},
"status" : 401
}

i cant connect elastic-node2 neither kikana-node1 on :9200

configuration :

cluster.name: clusterELK
node.name: elastic-node1
node.master: true
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/elastic-node1.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elastic-node1.crt
xpack.security.transport.ssl.certificate_authorities: /etc/elasticsearch/certs/ca.crt
bootstrap.memory_lock: true
network.host: 192.168.100.80
http.port: 9200
discovery.seed_hosts: ["elastic-node1", "elastic-node2", "kibana-node1"]

cluster.name: clusterELK
node.name: elastic-node2
node.master: false
node.data: true
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/elastic-node2.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elastic-node2.crt
xpack.security.transport.ssl.certificate_authorities: /etc/elasticsearch/certs/ca.crt
bootstrap.memory_lock: true
network.host: 192.168.100.81
http.port: 9200
discovery.seed_hosts: ["elastic-node1", "elastic-node2", "kibana-node1"]

when i "tail" cluster logs on elastic-node2:

Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 192.168.100.80 found
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:325) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:268) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:263) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1340) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1215) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1158) ~[?:?]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:445) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1247) ~[?:?]
at java.security.AccessController.doPrivileged(AccessController.java:691) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1192) ~[?:?]
at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1542) ~[netty-handler-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1556) ~[netty-handler-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1440) ~[netty-handler-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267) ~[netty-handler-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314) ~[netty-handler-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501) ~[netty-codec-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) ~[netty-codec-4.1.49.Final.jar:4.1.49.Final]

Thanks for your answers
Max

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.