Failed to authenticate with host "https://elastic:9200": Hostname/IP does not match certificat

Hello I was running Elastic on a pod in rancher kubernetes and Kibana in another one
version 8.2.3
So I ended up in this

with this log

[2022-06-25T16:15:56.848+00:00][ERROR][plugins.interactiveSetup.elasticsearch] Failed to authenticate with host "https://elastic:9200": Hostname/IP does not match certificate's altnames: Host: elastic. is not in the cert's altnames: DNS:elastic-759448c5cd-q5h5r, DNS:localhost, IP Address:127.0.0.1, IP Address:10.42.1.17

and for the elastic output I have to open it by this command only

curl -k -X GET https://elastic:9200 -u elastic

Screenshot from 2022-06-25 17-25-52

and I cant configure anything manually in the container I can't use Vim or Nano it doesn't exist in the container
please please who could help me ?

[2022-06-25T16:15:56.848+00:00][ERROR][plugins.interactiveSetup.elasticsearch] Failed to authenticate with host "https://elastic:9200": Hostname/IP does not match certificate's altnames: Host: elastic. is not in the cert's altnames: DNS:elastic-759448c5cd-q5h5r, DNS:localhost, IP Address:127.0.0.1, IP Address:10.42.1.17

need solution

Hello @medch1 ! Have a look at this issue and the solution:

I believe you need to set the hostnames when generating the certificate by

...[setting] the appropriate hostname. See the --dns option to certutil

Hello @JLeysens the solution isn't clear can you simplified it to me ?

The error says that your domain name does not match what is in the certificate's domain name(s) certificate. I'm assuming your certificate was generated using elasticsearch-certutil? However it was generated it needs to be valid for the domain name "elastic" which it currently is not.

No no i'm sure it's correct do you need any screenshots

You are running that curl command in insecure mode: -k. What do you see in the terminal without it?

Would you mind sharing kibana.yml and elasticsearch.yml config for hosts and network?

Hello again @JLeysens
this is the elasticsearch.yml file

and this is the kibana.yml file.

and I can't edit it, bash doesn't have neither vim or nano

up up up

The problem is that when your Elasticsearch node started, it thought it has the name elastic-759448c5cd-q5h5r and so it generated a certificate for that hostname.
It didn't not include the hostname elastic in that certificate.

Now when you try to enroll Kibana to Elasticsearch, Elasticsearch is advertising that it has the address elastic:9200. Kibana tries to enroll on that address but the certificate doesn't match the hostname.

Did you change something during your setup that would cause Elasticsearch to think it now has a different hostname (elastic vs elastic-759448c5cd-q5h5r)?

No i didn't anything on my own , I did everything following the official documentation

Facing the exact same problem. Would be great there is a solution.

1 Like

I was running kibana and es in docker. I solved my problem by creating a new network for es and kibana. First I ran the command:

docker network create elastic

This created a new docker network. Then I simply first ran Elasticsearch by the following docker-compose file:

version: '3.3'
services:
    elasticsearch:
        image: 'docker.elastic.co/elasticsearch/elasticsearch:8.3.2'
        container_name: es
        network_mode: elastic
        volumes:
            - '$PWD/esdata:/usr/share/elasticsearch/data'
        ports:
            - '9200:9200'
            - '9300:9300'
        environment:
            - logger.level=INFO

Followed by running kibana using the following docker compose file:

version: '3.3'
services:
    kibana:
        image: 'kibana:8.3.2'
        container_name: kibana
        network_mode: elastic
        ports:
            - '5601:5601'

The only thing to note here is the following line in the docker-compose file:

network_mode: elastic

And then when I configured kibana, there was no error! Hope that helps.

Thanks but it doesn't work on rancher , maybe your solution works for docker

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.