Hostname/IP does not match certificate's altnames

usrRea77 · May 9, 2024, 9:14am

I have a question about enrolling my Kibana after fresh re-installation just recently. My app lately stopped running and I made a mistake by removing the Kibana container. Then, the error below has been persisting since then. Please see below for the errors from the console. It seems that Elastic was having issue to connect with Kibana when asking to generate enrollment credentials.

[main] WARN  org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [172.18.0.3]; the server provided a certificate with subject name [CN=1d6d6b2919e0], fingerprint [65b706637662a3b2ed591dac439a0977c61a4a05], no keyUsage and extendedKeyUsage [serverAuth]; the certificate is valid between [2024-01-30T00:04:30Z] and [2026-01-29T00:04:30Z] (current time is [2024-05-09T08:19:53.461318003Z], certificate dates are valid); the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate has subject alternative names [DNS:1d6d6b2919e0,IP:127.0.0.1,IP:172.18.0.2,DNS:localhost]; the certificate is issued by [CN=Elasticsearch security auto-configuration HTTP CA]; the certificate is signed by (subject [CN=Elasticsearch security auto-configuration HTTP CA] fingerprint [64c4cea2666070a32bb29dbe84b9e3be8b293503] {trusted issuer}) which is self-issued; the [CN=Elasticsearch security auto-configuration HTTP CA] certificate is trusted in this ssl context ([xpack.security.http.ssl (with trust configuration: Composite-Trust{JDK-trusted-certs,StoreTrustConfig{path=certs/http.p12, password=<non-empty>, type=PKCS12, algorithm=PKIX}})])
java.security.cert.CertificateException: No subject alternative names matching IP address 172.18.0.3 found
        at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:160) ~[?:?]
        at sun.security.util.HostnameChecker.match(HostnameChecker.java:101) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:457) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:431) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[?:?]
        at org.elasticsearch.common.ssl.DiagnosticTrustManager.checkServerTrusted(DiagnosticTrustManager.java:80) ~[?:?]        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1302) ~[?:?]
        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1195) ~[?:?]
        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1138) ~[?:?]
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447) ~[?:?]
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:201) ~[?:?]
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) ~[?:?]
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:586) ~[?:?]
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187) ~[?:?]
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:141) ~[?:?]
        at org.elasticsearch.xpack.core.common.socket.SocketAccess.lambda$doPrivileged$0(SocketAccess.java:42) ~[?:?]
        at java.security.AccessController.doPrivileged(AccessController.java:571) ~[?:?]
        at org.elasticsearch.xpack.core.common.socket.SocketAccess.doPrivileged(SocketAccess.java:41) ~[?:?]
        at org.elasticsearch.xpack.core.security.CommandLineHttpClient.execute(CommandLineHttpClient.java:178) ~[?:?]
        at org.elasticsearch.xpack.core.security.CommandLineHttpClient.execute(CommandLineHttpClient.java:112) ~[?:?]
        at org.elasticsearch.xpack.security.tool.BaseRunAsSuperuserCommand.checkClusterHealthWithRetries(BaseRunAsSuperuserCommand.java:214) ~[?:?]
        at org.elasticsearch.xpack.security.tool.BaseRunAsSuperuserCommand.execute(BaseRunAsSuperuserCommand.java:127) ~[?:?]
        at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:54) ~[elasticsearch-8.12.0.jar:8.12.0]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85) ~[elasticsearch-cli-8.12.0.jar:8.12.0]
        at org.elasticsearch.cli.Command.main(Command.java:50) ~[elasticsearch-cli-8.12.0.jar:8.12.0]
        at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:64) ~[cli-launcher-8.12.0.jar:8.12.0]

ERROR: Failed to determine the health of the cluster. , with exit code 69

If I run this docker network inspect elastic, the console returns as below:

[
    {
        "Name": "elastic",
        "Id": "241f4715d0fa95ed573dde0ea024034284c6815a7cbb56f1158b2f6729b40be3",
        "Created": "2024-01-29T23:37:26.055393797Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.18.0.0/16",
                    "Gateway": "172.18.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "1d6d6b2919e00185d04a9d49a02e00f43bdad3804ef287a5f8add8e5e9a30e3b": {
                "Name": "es01",
                "EndpointID": "29cc5bdfdaa976c319c47084f1bf39a123b021eb0ceaa1831721a4a1294e37ae",
                "MacAddress": "02:42:ac:12:00:03",
                "IPv4Address": "172.18.0.3/16",
                "IPv6Address": ""
            },
            "72f480b457e50fcf649458ec25ee8a83e800a5f6e56d119403f7a5a75db08b3a": {
                "Name": "kib01",
                "EndpointID": "f96b885fc5a512ebbca248fada7e934af4f30e873e19622c5226d32842c51377",
                "MacAddress": "02:42:ac:12:00:02",
                "IPv4Address": "172.18.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }
]

I have been running Elastic and Kibana successfully in local following this guide here -Install Kibana with Docker | Kibana Guide [8.13] | Elastic
and would like to continue my app development as local.

Kibana version: 8.13.3
elastic version: 8.12.0

Assuming the network setup is valid, how do I resolve this issue by adding alternative name matching IP: 172.18.0.3 into the certificate? Or I need to generate a new certificate because I had removing the kibana container?

Thanks in advance.

Topic		Replies	Views
Hostname/IP does not match certificate's altnames Kibana elastic-stack-security	3	8680	September 25, 2022
Hostname/IP does not match certificate's altnames Elasticsearch elastic-stack-security	2	2100	March 22, 2022
Hostname/IP does not match certificate's altnames Kibana docker	3	853	August 10, 2023
Failed to authenticate with host "https://elastic:9200": Hostname/IP does not match certificat Kibana elastic-stack-security	14	4219	September 5, 2022
Kibana with elastic form docker compose setup problem Kibana docker	6	977	December 22, 2023

Hostname/IP does not match certificate's altnames

Related topics