I have configured elasticsearch to request a client certificate from clients. This has been configured in addition to username and password.
The truststore configured in elasticsearch only holds one "server certificate" not the corresponding "CA" certificate. This is basically to require a direct match.
Now I configured this specific “server certificate” as client certificate (ssl.certificate) in the metricbeat.yml.
But unfortunately the connection fails with the message “remote error: tls: bad certificate”.
To make it work I have to add the corresponding CA certificate to the truststore of elasticsearch which is kind of sad, because now all certificates from this CA can access the service.
It works differently for Kibana for example, Kibana just shows the certificate I have configured and does no matching against the issuer it seems.
Question now is, if there is a way to tell metricbeats to just always try the certificate which is configured via ssl.certificate? Regardless if the “Issuer” matches the provided list of “Acceptable client certificate CA names”.
As far as I understand, it does not work cause it would need to match the “subject” of the client certificate against the list of “Acceptable client certificate CA names”.
Anyways have a good one everybody!