I enabled TLS on elasticsearch using self signed certificates. The certificate include DNS entries containing host names of all elasticsearch nodes.
When I start elasticsearch I get exception:
No subject alternative names matching IP address xxx.xxx.xxx.xxx found
I wonder why it using IP address to validate. I have looked on this link and searched other pages, couldn't find any reason for this
https://www.elastic.co/guide/en/elastic-stack-overview/6.8/trb-security-sslhandshake.html
What do you have set for network.host in your elasticsearch.yml?
Elasticsearch discovers the other nodes in a cluster by connecting to the seed nodes, adding themselves to the cluster, and asking for the list of node members.
It's that last bit that matters the most - when the list of nodes is retrieved it includes a network address for each node. If that's an IP, then the nodes will connect by IP and the TLS certificate needs to include the IP address.
If that list includes hostnames instead, then we will connect by hostname, and the certificate needs a DNS name.
You can set network.host to a hostname, or if you need it to be an IP, you can override how it is published in the cluster list by setting network.publish_host.
Thanks @TimV for explanation. Now it's more clear why it was working this way. The setting in elastisearch.yml was network.host: _site_ and that I think will use IP address to publish host.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.