Hi everyone,
I use command './bin/elasticsearch-certutil cert --ca-cert config/ca/ca.crt --ca-key config/ca/ca.key ' to create a p12 file.
This file doesn't include any IP/Hostname information, so when I connect to ES cluster with transportclient, java code would be:
builder.put("xpack.security.transport.ssl.verification_mode", "certificate");
And my question is:
If I use RestHighLevelClient instead of Transportclient, what should the code be?
My JAVA code -
KeyStore truststore = KeyStore.getInstance("jks");
try (InputStream is = new FileInputStream("/mypath/elastic-certificates.p12")) {
truststore.load(is, "123456".toCharArray());
}
SSLContextBuilder sslBuilder = SSLContexts.custom()
.loadTrustMaterial(truststore, null);
final SSLContext sslContext = sslBuilder.build();
RestClientBuilder builder = RestClient.builder(
new HttpHost("172.16.3.85", 9200, "https"))
.setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() {
@Override
public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
return httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider).setSSLContext(sslContext);
}
});
And I got error -
java.io.IOException: Host name '172.16.3.85' does not match the certificate subject provided by the peer (CN=instance)
I don't know much about CA, I think the CN is the hostname(I think "instance" is default valueIn because in my case, the hostname should be "hadoop-5"). but my ES cluster hava 3 nodes(hadoop-5 hadoop-6 hadoop-7), hadoop-5 is one of these, should I set CN to "hadoop-5,hadoop-6,hadoop-7"?
How could I do to ignore IP/Hostname,only use certificate to verification user.