Elasticsearch-create-enrollment-token using IP from wrong ethernet adaptor

Hi,
We have two ethernet adaptors and hence 2 IPs, When we try to generate enrollment token, it always uses 2nd IP by default.

Is there any way to override the default and specify which IP to use or can we use hostname? TIA

Which scope of enrollment token did you try to create, Kibana or Node?

Node. (/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -f -s node)

We have disabled Ip2 (interface 2) and added network.host to ip1 in elasticsearch.yml. But when we enabled back Ip2 and rerun "elasticsearch-create-enrollment-token -f -s node" , It fails again with error:

Invalid cert, cert does not have Ip2 in SAN.

Current setup:

Interfaces and Ips

[root]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:9b:19:65 brd ff:ff:ff:ff:ff:ff
    inet 10.134.101.193/27 brd 10.134.101.223 scope global noprefixroute ens192
       valid_lft forever preferred_lft forever
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:9b:71:b5 brd ff:ff:ff:ff:ff:ff
    inet 10.116.1.64/21 brd 10.116.7.255 scope global noprefixroute ens224
       valid_lft forever preferred_lft forever

elastisearch.yml

# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
network.host: 10.134.101.193

enrollment token ( Wrong Ip is picked)

{
  "ver": "8.2.0",
  "adr": [
    "10.116.1.64:9200"
  ],
  "fgr": "29675b0fa692028b0956e19b406a4109711d12ba6035597909003e3ae430cab2",
  "key": "_y5SCoUBjnOyNzZhq9k8:l5GxSw87Tq-ouLVixPyWaQ"
}

`

I assume you encountered the error when you tried to use the enrollment token to enroll a new node, not when you tried to generate the enrollment token.

When you "enable back Ip2", did you change anything networking related in the elasticsearch.yml file, e.g. network.host? The enrollment token should contain whatever address that is specified for it. Based on your shared elasticsearch.yml file, it should be 10.134.101.193 (I assume this is Ip1). So I don't see how you get a different adr of 10.116.1.64:9200 (I assume this is Ip2) in the enrollment token unless you also changed the setting.

The error was complaining that the cluster's HTTP certificate does not cover Ip2. How did you generate the HTTP certificate? If you generated it manually, you'll want to regenerate it so that it contains both Ip1 and Ip2.

Thanks for the response, and your understanding is correct and below was the expectation:
" The enrollment token should contain whatever address that is specified for it. Based on your shared elasticsearch.yml file, it should be 10.134.101.193 (I assume this is Ip1)"

However actual behavior is different.
Minimal step to reproduce this issue (Elasticsearch version 8.2) :

  1. Install elastic on first node
  2. Set network.host to 10.134.101.193` (ip1) in elasticsearch.yml
  3. Start elastic service using systemctl start elasticsearch.service
  4. Run /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -f -s node to generate token
  5. Decode token from step 4, and see that it is having wrong IP(Ip2) which is "10.116.1.64:9200"
"adr": [
    "10.116.1.64:9200"
  ],

May be I am completely wrong,
But can there be case where enrollment token will simply sort all the IPs available and take the first one and ignore the Ip in "network.host" ?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.