Error when creating a kibana token

morad_della3 · September 24, 2022, 9:01pm

ubuntu 22.04
elastic 8.4.1
kibana 8.4.1
filebeat 8.4.1
auditbeat
suricata
elastic and kibana were working well with an old IP and when now i changed the IP to both of them i try to create a token it doesn't work ...
I don't change the config of the beats it still with the old ip just elastic and kibana with the new ip

elastic@elastic:/usr/share/elasticsearch/bin$ sudo ./elasticsearch-create-enrollment-token -s kibana
20:39:02.588 [main] WARN  org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [192.168.1.18]; the server provided a certificate with subject name [CN=elastic], fingerprint [ff9bbfe08ac8a9cbd85920c34a82032da9c1c5a8], no keyUsage and extendedKeyUsage [serverAuth]; the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate has subject alternative names [DNS:localhost,IP:0:0:0:0:0:0:0:1,IP:127.0.0.1,IP:fe80:0:0:0:20c:29ff:fe48:9b3e,IP:192.168.43.147,DNS:elastic]; the certificate is issued by [CN=Elasticsearch security auto-configuration HTTP CA]; the certificate is signed by (subject [CN=Elasticsearch security auto-configuration HTTP CA] fingerprint [968f8b7ce74d054ff7602b66be4d02c70e190156] {trusted issuer}) which is self-issued; the [CN=Elasticsearch security auto-configuration HTTP CA] certificate is trusted in this ssl context ([xpack.security.http.ssl (with trust configuration: Composite-Trust{JDK-trusted-certs,StoreTrustConfig{path=certs/http.p12, password=<non-empty>, type=PKCS12, algorithm=PKIX}})])
java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.1.18 found
        at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:165) ~[?:?]
        at sun.security.util.HostnameChecker.match(HostnameChecker.java:101) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:452) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:426) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:238) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[?:?]
        at org.elasticsearch.common.ssl.DiagnosticTrustManager.checkServerTrusted(DiagnosticTrustManager.java:82) ~[?:?]
        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335) ~[?:?]
        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1226) ~[?:?]
        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1169) ~[?:?]
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) ~[?:?]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458) ~[?:?]
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:201) ~[?:?]
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1505) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1420) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) ~[?:?]
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:578) ~[?:?]
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:183) ~[?:?]
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:142) ~[?:?]
        at org.elasticsearch.xpack.core.common.socket.SocketAccess.lambda$doPrivileged$0(SocketAccess.java:42) ~[?:?]
        at java.security.AccessController.doPrivileged(AccessController.java:569) ~[?:?]
        at org.elasticsearch.xpack.core.common.socket.SocketAccess.doPrivileged(SocketAccess.java:41) ~[?:?]
        at org.elasticsearch.xpack.core.security.CommandLineHttpClient.execute(CommandLineHttpClient.java:178) ~[?:?]
        at org.elasticsearch.xpack.core.security.CommandLineHttpClient.execute(CommandLineHttpClient.java:112) ~[?:?]
        at org.elasticsearch.xpack.security.tool.BaseRunAsSuperuserCommand.checkClusterHealthWithRetries(BaseRunAsSuperuserCommand.java:214) ~[?:?]
        at org.elasticsearch.xpack.security.tool.BaseRunAsSuperuserCommand.execute(BaseRunAsSuperuserCommand.java:127) ~[?:?]
        at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:54) ~[elasticsearch-8.4.1.jar:8.4.1]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85) ~[elasticsearch-cli-8.4.1.jar:8.4.1]
        at org.elasticsearch.cli.Command.main(Command.java:50) ~[elasticsearch-cli-8.4.1.jar:8.4.1]
        at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:64) ~[cli-launcher-8.4.1.jar:8.4.1]

ERROR: Failed to determine the health of the cluster.

stephenb · September 25, 2022, 1:48am

Hi @morad_della3

So when you changed the IP address from the original 192.168.43.147 (which I can see in the error) your certs are no longer valid with the new IP

20:39:02.588 [main] WARN  org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [192.168.1.18]; the server provided a certificate with subject name [CN=elastic], fingerprint [ff9bbfe08ac8a9cbd85920c34a82032da9c1c5a8], no keyUsage and extendedKeyUsage [serverAuth]; the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate has subject alternative names [DNS:localhost,IP:0:0:0:0:0:0:0:1,IP:127.0.0.1,IP:fe80:0:0:0:20c:29ff:fe48:9b3e,IP:192.168.43.147,DNS:elastic]; the certificate is issued by [CN=Elasticsearch security auto-configuration HTTP CA]; the certificate is signed by (subject [CN=Elasticsearch security auto-configuration HTTP CA] fingerprint [968f8b7ce74d054ff7602b66be4d02c70e190156] {trusted issuer}) which is self-issued; the [CN=Elasticsearch security auto-configuration HTTP CA] certificate is trusted in this ssl context ([xpack.security.http.ssl (with trust configuration: Composite-Trust{JDK-trusted-certs,StoreTrustConfig{path=certs/http.p12, password=<non-empty>, type=PKCS12, algorithm=PKIX}})])
java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.1.18 found

The certs were generated using the initial IP address... so now they do not match.

You will either need to
regenerate all the certs
or go back to the old IP address
or set elasticsearch.ssl.verification_mode: none in your kibana.yml which weakens security.

Any client trying to connect with elasticsearch will run into the same issue.

morad_della3 · September 25, 2022, 8:36am

@stephenb thanks for your response, I want to find a solution for this error because for example in working life in the company for example when the company tries to change the range IP we can find solution to this problem
about your response :

How to regenerate all the certs ?

stephenb · September 25, 2022, 3:58pm

For the Transport layer

For the HTTP Layer

system · October 23, 2022, 3:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.