Host name does not match the certificate

yeziblo · June 20, 2019, 7:38am

Hi everyone,

I use command './bin/elasticsearch-certutil cert --ca-cert config/ca/ca.crt --ca-key config/ca/ca.key ' to create a p12 file.

This file doesn't include any IP/Hostname information, so when I connect to ES cluster with transportclient, java code would be:
builder.put("xpack.security.transport.ssl.verification_mode", "certificate");

And my question is:
If I use RestHighLevelClient instead of Transportclient, what should the code be?

My JAVA code -
KeyStore truststore = KeyStore.getInstance("jks");
try (InputStream is = new FileInputStream("/mypath/elastic-certificates.p12")) {
truststore.load(is, "123456".toCharArray());
}
SSLContextBuilder sslBuilder = SSLContexts.custom()
.loadTrustMaterial(truststore, null);
final SSLContext sslContext = sslBuilder.build();
RestClientBuilder builder = RestClient.builder(
new HttpHost("172.16.3.85", 9200, "https"))
.setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() {
@Override
public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
return httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider).setSSLContext(sslContext);
}
});

And I got error -
java.io.IOException: Host name '172.16.3.85' does not match the certificate subject provided by the peer (CN=instance)

I don't know much about CA, I think the CN is the hostname(I think "instance" is default valueIn because in my case, the hostname should be "hadoop-5"). but my ES cluster hava 3 nodes(hadoop-5 hadoop-6 hadoop-7), hadoop-5 is one of these, should I set CN to "hadoop-5,hadoop-6,hadoop-7"?

How could I do to ignore IP/Hostname，only use certificate to verification user.

TimV · June 21, 2019, 2:51am

You need to disable hostname verification your in HttpAsyncClientBuilder:

public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
  return httpClientBuilder
         .setDefaultCredentialsProvider(credentialsProvider)
         .setSSLContext(sslContext)
         .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
}

yeziblo · June 23, 2019, 2:49am

Hi @TimV，
Your answer solved my problem， Thank you very much！

Best regards，
yeziblo

yeziblo · July 8, 2019, 9:10am

HI @TimV,
If I use jdbc:es:// to connection to ES, How can I set "NoopHostnameVerifier.INSTANCE" in jdbc url?

TimV · July 9, 2019, 9:21am

At this point you're making life harder and harder for yourself.

You really should just use a certificate that includes the DNS name(s) of your node(s).
Disabling hostname verification in every client you ever want to use is the wrong solution.

system · August 6, 2019, 9:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Host name does not match the certificate Elasticsearch elastic-stack-security	3	3247	May 7, 2021
Elasticsearch HTTPS and Adding to Java Rest Client Elasticsearch elastic-stack-security	1	28	August 26, 2024
Host name "<ip addr>" does not match certificate subject provided by peer Elasticsearch	4	4368	July 5, 2017
Hostname verification turn off for curl requests Elasticsearch elastic-stack-security	6	5403	December 26, 2019
Ignore server name mismatch in Java transport client? Elasticsearch	1	415	May 12, 2020

Host name does not match the certificate

Related topics