Elastic 8.7enrollement-token"failed to establish trust with server "

Julien069 · April 26, 2023, 2:25pm

Hi ,

I have a kibana server and an elastic server with differents IP address .

When I want to create a token for kibana with command :

sudo bin/elasticsearch-create-enrollement-token -s kibana

OR

sudo bin/elasticsearch-create-enrollement-token -s kibana --url "https://@ELASTIC IP ADDRESS:9200

I have an error : "Failed to establish trust with server at @ELASTIC IP ADDRESS"

I have a default config with network.host : @ELASTIC IP ADDRESS and http.port: 9200
It's a new install

Any idea ?

Thanks

Julien069 · May 2, 2023, 11:51am

Any idea ?

Julien069 · May 2, 2023, 12:55pm

my log :

sudo bin/elasticsearch-create-enrollment-token -s kibana

> 14:45:55.875 [main] WARN  org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [192.168.200.141]; the server provided a certificate with subject name [CN=elastic], fingerprint [982d15d1bd187a3a62f19ff63cca807045bda55d], no keyUsage and extendedKeyUsage [serverAuth]; the certificate is valid between [2023-04-25T14:36:14Z] and [2025-04-24T14:36:14Z] (current time is [2023-05-02T12:45:55.872722204Z], certificate dates are valid); the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate has subject alternative names [DNS:localhost,IP:127.0.0.1,IP:192.168.99.162,DNS:elastic]; the certificate is issued by [CN=Elasticsearch security auto-configuration HTTP CA]; the certificate is signed by (subject [CN=Elasticsearch security auto-configuration HTTP CA] fingerprint [0f92f1fc6d9c035d3aca7311b1c7febd113f0d5c] {trusted issuer}) which is self-issued; the [CN=Elasticsearch security auto-configuration HTTP CA] certificate is trusted in this ssl context ([xpack.security.http.ssl (with trust configuration: Composite-Trust{JDK-trusted-certs,StoreTrustConfig{path=/etc/elasticsearch/certs/http.p12, password=<non-empty>, type=PKCS12, algorithm=PKIX}})])
> java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.200.141 found
> 	at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:164) ~[?:?]
> 	at sun.security.util.HostnameChecker.match(HostnameChecker.java:101) ~[?:?]
> 	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:458) ~[?:?]
> 	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:432) ~[?:?]
> 	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:238) ~[?:?]
> 	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[?:?]
> 	at org.elasticsearch.common.ssl.DiagnosticTrustManager.checkServerTrusted(DiagnosticTrustManager.java:80) ~[?:?]
> 	at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335) ~[?:?]
> 	at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1226) ~[?:?]
> 	at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1169) ~[?:?]
> 	at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
> 	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) ~[?:?]
> 	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458) ~[?:?]
> 	at sun.security.ssl.TransportContext.dispatch(TransportContext.java:201) ~[?:?]
> 	at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
> 	at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510) ~[?:?]
> 	at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425) ~[?:?]
> 	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) ~[?:?]
> 	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) ~[?:?]
> 	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:578) ~[?:?]
> 	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187) ~[?:?]
> 	at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:142) ~[?:?]
> 	at org.elasticsearch.xpack.core.common.socket.SocketAccess.lambda$doPrivileged$0(SocketAccess.java:42) ~[?:?]
> 	at java.security.AccessController.doPrivileged(AccessController.java:569) ~[?:?]
> 	at org.elasticsearch.xpack.core.common.socket.SocketAccess.doPrivileged(SocketAccess.java:41) ~[?:?]
> 	at org.elasticsearch.xpack.core.security.CommandLineHttpClient.execute(CommandLineHttpClient.java:178) ~[?:?]
> 	at org.elasticsearch.xpack.core.security.CommandLineHttpClient.execute(CommandLineHttpClient.java:112) ~[?:?]
> 	at org.elasticsearch.xpack.security.tool.BaseRunAsSuperuserCommand.checkClusterHealthWithRetries(BaseRunAsSuperuserCommand.java:214) ~[?:?]
> 	at org.elasticsearch.xpack.security.tool.BaseRunAsSuperuserCommand.execute(BaseRunAsSuperuserCommand.java:127) ~[?:?]
> 	at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:54) ~[elasticsearch-8.7.0.jar:8.7.0]
> 	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85) ~[elasticsearch-cli-8.7.0.jar:8.7.0]
> 	at org.elasticsearch.cli.Command.main(Command.java:50) ~[elasticsearch-cli-8.7.0.jar:8.7.0]
> 	at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:64) ~[cli-launcher-8.7.0.jar:8.7.0]
> 
> ERROR: Failed to determine the health of the cluster.

JLeysens · May 9, 2023, 10:16am

Hi @Julien069 ! The issue is the machine you are trying to create the enrollment token from does not have the ability to establish a connection over SSL (https). This is an issue with the certificate not including your Elasticsearch node's address, how did you generate the SSL certificate? It should include a SAN (Subject Alternative Name) entry for your IP address see:

The alternative is to just not connect over SSL (xpack.security.http.ssl.enabled: false), but I'm not sure whether that is an option for you?

Julien069 · May 9, 2023, 12:30pm

Hi Jean-louis ( French ? )

In fact , the problem comes from the change of the IP address .
I tried to generate a new CA but it doesn't work .

I don't understand somethings , what it's the difference between :

xpack.security.http.ssl

and

xpack.security.transport.ssl

For me ,http.ssl is for the webconsole and transport for the exchange between Elastic and Kibana ...

JLeysens · May 9, 2023, 12:55pm

I see, it seems your ES node's public IP address changed.

Again, to get a new certificate from your Elasticsearch central CA follow the link from the previous message and use the ./bin/elasticsearch-certutil http (from where you have ES installed) and follow the prompts.

http is for any traffic coming to your cluster over the Internet, this includes Kibana. transport is for internode communication - traffic that flows between your ES nodes.

Julien069 · May 10, 2023, 12:06pm

Thanks you very much for your help

system · June 7, 2023, 12:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error when creating a kibana token Elasticsearch	4	1740	October 23, 2022
Can't enroll token in elasticseacrh v8 in another vm Elasticsearch	1	353	July 27, 2022
What's the cause of the error and how to fix it? Elasticsearch	2	1444	August 21, 2022
Hostname/IP does not match certificate's altnames Kibana elastic-stack-security , docker	0	198	May 9, 2024
ERROR: Failed to determine the health of the cluster. , with exit code 69 Elasticsearch painless , runtime-fields	6	2989	January 28, 2024

Elastic 8.7__enrollement-token__"failed to establish trust with server "

Related topics

Elastic 8.7enrollement-token"failed to establish trust with server "