Host name does not match the certificate

Hi everyone,

I use command './bin/elasticsearch-certutil cert --ca-cert config/ca/ca.crt --ca-key config/ca/ca.key ' to create a p12 file.

This file doesn't include any IP/Hostname information, so when I connect to ES cluster with transportclient, java code would be:
builder.put("xpack.security.transport.ssl.verification_mode", "certificate");

And my question is:
If I use RestHighLevelClient instead of Transportclient, what should the code be?

My JAVA code -
KeyStore truststore = KeyStore.getInstance("jks");
try (InputStream is = new FileInputStream("/mypath/elastic-certificates.p12")) {
truststore.load(is, "123456".toCharArray());
}
SSLContextBuilder sslBuilder = SSLContexts.custom()
.loadTrustMaterial(truststore, null);
final SSLContext sslContext = sslBuilder.build();
RestClientBuilder builder = RestClient.builder(
new HttpHost("172.16.3.85", 9200, "https"))
.setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() {
@Override
public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
return httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider).setSSLContext(sslContext);
}
});

And I got error -
java.io.IOException: Host name '172.16.3.85' does not match the certificate subject provided by the peer (CN=instance)

I don't know much about CA, I think the CN is the hostname(I think "instance" is default valueIn because in my case, the hostname should be "hadoop-5"). but my ES cluster hava 3 nodes(hadoop-5 hadoop-6 hadoop-7), hadoop-5 is one of these, should I set CN to "hadoop-5,hadoop-6,hadoop-7"?

How could I do to ignore IP/Hostnameļ¼Œonly use certificate to verification user.

You need to disable hostname verification your in HttpAsyncClientBuilder:

public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
  return httpClientBuilder
         .setDefaultCredentialsProvider(credentialsProvider)
         .setSSLContext(sslContext)
         .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
}
2 Likes

Hi @TimVļ¼Œ
Your answer solved my problemļ¼Œ Thank you very muchļ¼

Best regardsļ¼Œ
yeziblo

HI @TimV,
If I use jdbc:es:// to connection to ES, How can I set "NoopHostnameVerifier.INSTANCE" in jdbc url?

At this point you're making life harder and harder for yourself.

You really should just use a certificate that includes the DNS name(s) of your node(s).
Disabling hostname verification in every client you ever want to use is the wrong solution.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.