Elasticsearch TLS setup errors

Elastic Stack Elasticsearch
1

Hi, I setup elasticsearch on centos 3-nodes cluster. It worked well until I enabled xpack. I'm using .crt, .key, and ca.crt certs. Here are my config entries:
xpack.security.enabled: true

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: "path to key"
xpack.security.http.ssl.certificate_authorities: "path to ca cert"
xpack.security.http.ssl.certificate: "path to cert"
xpack.security.http.ssl.client_authentication: optional

xpack.security.transport.ssl.verification_mode: certificate (commented out for trouble shooting)

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: "path to cert"
xpack.security.transport.ssl.certificate: "path to cert"
xpack.security.transport.ssl.certificate_authorities: [ "path to ca cert" ]

Running curl -XPUT 'localhost:9200/idx',
curl: (52) Empty reply from server

running:
curl --cert 'path to cert'--key 'path to key' --cacert 'path to ca cert' 'https://localhost:9200/_xpack/security/_authenticate?pretty'
produces:

  • NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)

  • Unable to communicate securely with peer: requested domain name does not match the server's certificate.

  • Closing connection 0

curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

Both the host FQDN and cert have the same domain name. What could be the problem.

2

Running curl -v --cert /etc/elasticsearch/certs/certname --key /etc/elasticsearch/certs/keyname --cacert /etc/elasticsearch/certs/cacertname https://FQDN:9200/_xpack/security/_authenticate?pretty

  • About to connect() to FQDN port 9200 (#0)

  • Connected to FQDN (IP Address) port 9200 (#0)

  • Initializing NSS with certpath: sql:/etc/pki/nssdb

  • CAfile: /etc/elasticsearch/certs/cacertname
    CApath: none

  • SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Host: FQDN:9200
Accept: /

< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Bearer realm="security"
< WWW-Authenticate: ApiKey
< WWW-Authenticate: Basic realm="security" charset="UTF-8"
< content-type: application/json; charset=UTF-8
< content-length: 746
<
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "missing authentication credentials for REST request [/_xpack/security/_authenticate?pretty]",
"header" : {
"WWW-Authenticate" : [
"Bearer realm="security"",
"ApiKey",
"Basic realm="security" charset="UTF-8""
]
}
}
],
"type" : "security_exception",
"reason" : "missing authentication credentials for REST request [/_xpack/security/_authenticate?pretty]",
"header" : {
"WWW-Authenticate" : [
"Bearer realm="security"",
"ApiKey",
"Basic realm="security" charset="UTF-8""
]
}
},
"status" : 401
}

  • Connection #0 to host FQDN left intact
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.