I have been working on this for a while now and I still havn't been able to figure it out.
I have SSL working from Logstash to ElasticSearch, and from Kibana to ElasticSearch, but those settings don't work for adding nodes to my ElasticSearch cluster.
Here is my elasticsearch.yml
cluster.name: logstash-es.example.com
node.name: logstash-es01.ec2.example.com
node.master: true
node.data: true
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
path.repo: /var/lib/elasticsearch/backup
network.host: 0.0.0.0
#network.host: logstash-es01.ec2.example.com
transport.tcp.port: 9300
transport.tcp.compress: true
http.enabled: true
discovery.zen.hosts_provider: "ec2"
discovery.ec2.host_type: "private_ip"
discovery.ec2.endpoint: ec2.us-west-2.amazonaws.com
discovery.ec2.availability_zones: "us-west-2a,us-west-2b,us-west-2c"
discovery.ec2.groups: "Logstash Elasticsearch"
cluster.routing.allocation.awareness.attributes: aws_availability_zone
cloud.node.auto_attributes: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/elasticsearch/ssl/logstash-es01.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/ssl/logstash-es01.crt
xpack.security.http.ssl.certificate_authorities: [ "/etc/elasticsearch/ssl/ca.example.com.crt" ]
#These Settings should be uncommented
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: /etc/elasticsearch/ssl/logstash-es01.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/ssl/logstash-es01.crt
xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/ssl/ca.example.com.crt" ]
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.verification_mode: full
#These settings need to be commented out
#xpack.ssl.verification_mode: full
#xpack.ssl.key: /etc/elasticsearch/ssl/logstash-es01.key
#xpack.ssl.certificate: /etc/elasticsearch/ssl/logstash-es01.crt
#xpack.ssl.certificate_authorities: [ "/etc/elasticsearch/ssl/ca.example.com.crt" ]
#xpack.ssl.client_authentication: required
As I said, everything from Logstash and Kibana to ElasticSearch works fine, but when I try and bring up logstash-es02 or logstash-es03 I receive the following error:
[2019-04-29T20:16:10,829][WARN ][o.e.x.s.t.n.SecurityNetty4ServerTransport] [logstash-es01.ec2.example.com] client did not trust this server's certificate, closing connection NettyTcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/10.1.39.247:34948}
Is there any way to find out why the client doesn't trust the server's cert? Is it a name thing, is it the fact that I am chaining? Does it just not like me?
I have specifically rebuilt the certs to make sure all of the names match, and everything is happy as far as Logstash and Kibana go, but I haven't figured out why ElasticSearch is failing.
If I comment out:
#These Settings should be uncommented
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: /etc/elasticsearch/ssl/logstash-es01.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/ssl/logstash-es01.crt
xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/ssl/ca.example.com.crt" ]
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.verification_mode: full
And I uncomment:
#These settings need to be commented out
xpack.ssl.verification_mode: full
xpack.ssl.key: /etc/elasticsearch/ssl/logstash-es01.key
xpack.ssl.certificate: /etc/elasticsearch/ssl/logstash-es01.crt
xpack.ssl.certificate_authorities: [ "/etc/elasticsearch/ssl/ca.example.com.crt" ]
xpack.ssl.client_authentication: required
Then everything works. Logstash and Kibana are happy, and I am able to join my other nodes to the cluster. But from what I was reading xpack.ssl.{key,certificate,certificate_authorities,client_authentication} are for LDAP, which I am not using. So I should be using xpack.security.transport.ssl.{enabled,key,certificate,certificate_authorites,client_authentication}
The commands that I am using to create my certs are as follows:
openssl genrsa -out logstash-es02.key 4096
openssl req -new -nodes -key logstash-es02.key -out logstash-es02.csr -config logstash.conf
openssl x509 -req -in logstash-es02.csr -CA CACert.pem -CAkey CAKey.pem -CAcreateserial -out logstash-es02.crt -days 900
openssl req -noout -text -in logstash-es.csr
I made sure that my CN in the logstash.conf matches the server name.
All the settings are identical between my ElasticSearch nodes, other than I increment the number 01, 02, 03, etc...
I have added multiple alias to the Java keychain store as well.
logstash-es02.ec2.example.com
logstash-es02.example.com
logstash-es.example.com
At one point I added in the IP addresses and multiple different DNS names to the cert as well hoping that SAN would fix it. But I still receive the same error.
Any suggestions would be greatly appreciated.