Disabling Hostname Verification on Elasticsearch 7.16 Outbound Connections

icey7z · April 12, 2023, 9:06am

I'm trying to do a remote reindexing from a 5.3 cluster to a 7.16 cluster, and need a way to disable hostname verification when communicating between them. The 5.3 cluster's certificate doesn't match the hostname, and I would like to avoid changing the cert if I can.

Failure response is

{
  "error" : {
    "root_cause" : [
      {
        "type" : "s_s_l_peer_unverified_exception",
        "reason" : "Host name '<REDACTED>' does not match the certificate subject provided by the peer (CN=<DIFFERENT_REDACTED>, OU=<REDACTED3>, O=\"<REDACTED4>\", C=US)"
      }
    ],
    "type" : "s_s_l_peer_unverified_exception",
    "reason" : "Host name '<REDACTED>' does not match the certificate subject provided by the peer (CN=<DIFFERENT_REDACTED>, OU=<REDACTED3> O=\"<REDACTED4>\", C=US)"
  },
  "status" : 500
}

Per other threads I've found like Disable hostname verification for xpack monitoring, I've tried setting xpack.monitoring.elasticsearch.ssl.verification_mode: "certificate" and xpack.monitoring.elasticsearch.ssl.verificationMode: "certificate" in elasticsearch.yml, but get the following back when trying to start Elasticsearch

java.lang.IllegalArgumentException: unknown setting [xpack.monitoring.elasticsearch.ssl.verification_mode] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
	at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:561)
	at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:507)
	at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:477)
	at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:447)
	at org.elasticsearch.common.settings.SettingsModule.<init>(SettingsModule.java:137)
	at org.elasticsearch.node.Node.<init>(Node.java:500)
	at org.elasticsearch.node.Node.<init>(Node.java:309)
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:234)
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:234)
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:434)
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:166)
	at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:157)
	at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:77)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:112)
	at org.elasticsearch.cli.Command.main(Command.java:77)
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:122)
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:80)
For complete error details, refer to the log at <ALSO_REDACTED>

Is there actually a setting I can use to disable hostname verification here?

TimBosman · April 12, 2023, 9:33am

Hey Eric,

Take a look at the xpack.security.http.ssl.verification_mode setting. This is the setting for the api. More information can be found here.
I hope this helps,

Tim

icey7z · April 12, 2023, 7:43pm

Thanks Tim. I just tried applying that setting to the elasticsearch.yml files, and then restarted the cluster. However, I still get the same 500 error as above when I attempt to reindex.

icey7z · April 12, 2023, 7:49pm

Here's what I have in elasticsearch.yml

xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true

xpack.security.http.ssl.supported_protocols: [ "TLSv1.2", "TLSv1.1", "TLSv1" ]
xpack.security.http.ssl.verification_mode: "certificate"

xpack.security.http.ssl.keystore.type: BCFKS
xpack.security.http.ssl.keystore.path: <REDACTED>
xpack.security.http.ssl.truststore.type: BCFKS
xpack.security.http.ssl.truststore.path: <REDACTED>

xpack.security.transport.ssl.keystore.type: BCFKS
xpack.security.transport.ssl.keystore.path: <REDACTED>
xpack.security.transport.ssl.truststore.type: BCFKS
xpack.security.transport.ssl.truststore.path: <REDACTED>

xpack.notification.email.ssl.keystore.type: BCFKS
xpack.notification.email.ssl.keystore.path: <REDACTED>
xpack.notification.email.ssl.truststore.type: BCFKS
xpack.notification.email.ssl.truststore.path: <REDACTED>

xpack.security.fips_mode.enabled: false
#xpack.security.fips_mode.enabled: true
xpack.security.authc.password_hashing.algorithm: pbkdf2

stack.templates.enabled: false
reindex.remote.whitelist: <REDACTED>

icey7z · April 12, 2023, 8:01pm

Turns out, the property I was looking for was

reindex.ssl.verification_mode

all along!

system · May 10, 2023, 8:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Hostname verification turn off for curl requests Elasticsearch elastic-stack-security	6	5362	December 26, 2019
Host name does not match the certificate Elasticsearch elastic-stack-security	3	3208	May 7, 2021
Logstash- Unable to retrieve license information from license server Logstash elastic-stack-monitoring , elastic-stack-security	5	25174	March 31, 2021
Does not match the certificate subject provided by the peer Logstash elastic-stack-security	4	4132	March 25, 2021
Logstash elasticsearch-filter disable ssl verification Logstash	1	6253	April 7, 2020

Disabling Hostname Verification on Elasticsearch 7.16 Outbound Connections

Related Topics