DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed

I am getting the following deprecation warning in both filebeat and metricbeat. I am currently using ES 7.17.9, but will be upgrading to 8.x soon:

DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed.  Please update your certificates if needed. Will be removed in version: 8.0.0

I can't figure out exactly what needs to change with my certificate. My CN field is:

 CN=esnode-aln-nbadev4.labs.server.com

My SAN value for filebeat 7.17.9 is:

        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:aln-nbadev4.labs.server.com

I tried adding this to the certificate, but I still get the deprecation message. What needs to be added to the certificate?

        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:aln-nbadev4.labs.server.com, DNS:esnode-aln-nbadev4.labs.server.com

Hi Bruce,

Are you able to regenerate the certificates? I would also recommend checking the location of the keystore in your configuration. The below resources might help:

  1. Filebeat vs elastic putput
  2. SSL configuration assistance
  3. DEPRECATED: CommonName field on X.509 certificates

Filebeat and elasticsearch are working just fine. I'm just trying to eliminate the deprecation warning about the certificate. I can easily regenerate the certificates.

I added an additional SAN value to try to fix the issue (esnode-aln-nbadev4.labs.server.com), but it did not affect anything. The error message says that no Subject Alternative Names are present, when one or two clearly are present. I'm trying figure out what this error message is trying to get me to change.

Is the CN supposed to match the fully qualified node name exactly? Because our elasticsearch CN has "esnode-" at the beginning of it and then the node name follows.

[root@aln-nbadev4 filebeat]# filebeat keystore list
ES_FILEBEAT_PASSWORD
ES_FILEBEAT_USERNAME

And from filebeat.yml:

output.elasticsearch:
  enabled: true
  hosts: [ "https://aln-nbadev4.labs.server.com:9200" ]
  username: ${ES_FILEBEAT_USERNAME}
  password: ${ES_FILEBEAT_PASSWORD}
  protocol: "https"
  ssl.certificate_authorities: [ "/etc/filebeat/esnode.pem" ]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.