Installing elasticsearch 7.12 , facing java.security.cert.CertificateException error while setting password/installation

Neha_goswami · September 24, 2021, 9:20am

I am setting Elasticsearch 7.12 cluster for the first time and i see below errors:

There seems to be some xpack setup issue:

`$ bin/Elasticsearch-setup-passwords interactive

warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME

08:51:29.774 [main] DEPRECATION org.Elasticsearch.deprecation.common.settings.Settings - [keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version.

08:51:29.781 [main] DEPRECATION org.Elasticsearch.deprecation.common.settings.Settings - [keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version.

08:51:30.686 [main] WARN org.Elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [10.203.36.162]; the server provided a certificate with subject name [C=US,ST=California,O=Apple Inc.,OU=management:idms.group.949016,CN=rn-boltd-lapp18.rno.apple.com] and fingerprint [8cb0da0a39b2df3b80ca3a8c4613c888b6f22f32]; the certificate has subject alternative names [DNS:rn-boltd-lapp18.rno.apple.com]; the certificate is issued by [C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple Corporate Server CA 1]; the certificate is signed by (subject [C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple Corporate Server CA 1] fingerprint [ba688c9b20190e2fa4edad752275fd4837bedcff]) signed by (subject [C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple Corporate Root CA] fingerprint [a171dcdee08b1bae30a1ae6cc6d4033bfdef91ce] {trusted issuer}) which is self-issued; the [C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple Corporate Root CA] certificate is trusted in this ssl context ([xpack.security.http.ssl])

java.security.cert.CertificateException: No subject alternative names matching IP address 10.203.36.162 found

at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:160) ~[?:?]

at sun.security.util.HostnameChecker.match(HostnameChecker.java:96) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:429) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) ~[?:?]

at org.Elasticsearch.common.ssl.DiagnosticTrustManager.checkServerTrusted(DiagnosticTrustManager.java:79) [Elasticsearch-ssl-config-7.12.1.jar:7.12.1]

at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:625) [?:?]

at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:460) [?:?]

at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360) [?:?]`

Below is my Elasticsearch.yml file:
`
cluster.name: bolt_elastic_stg_x
http.host: rn-XYXABC.XYZ.com
network.host: rn-XYXABC.XYZ.com
transport.tcp.port: 9300
node.name: MASTER1
node.master: true
node.data: true
http.port: 9200
discovery.zen.ping.unicast.hosts: ["rn-XYXABC.XYZ.com:9300", "rn-boltd-server2:9300","rn-boltd-server3:9300"]
path.data: /ngs/app/boltd/Elasticsearch/data
path.logs: /ngs/app/boltd/Elasticsearch/logs
bootstrap.system_call_filter: false
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.supported_protocols: TLSv1.2
xpack.security.http.ssl.client_authentication: optional
xpack.security.http.ssl.keystore.password: testpassword
xpack.security.http.ssl.keystore.path: /ngs/app/boltd/Elasticsearch/Elasticsearch-7.12.1/config/keystore/keystore.jks
xpack.security.transport.ssl.keystore.password: boltelastic
xpack.security.transport.ssl.keystore.path: /ngs/app/boltd/Elasticsearch/Elasticsearch-7.12.1/config/keystore/keystore.jks
xpack.security.transport.ssl.enabled: true
xpack.security.authc.realms:
ldap.ldap1:
order: 1
url: "ldaps://ldap.example.com/"
user_dn_templates:
- "cn={0}, ou=users, o=marketing, dc=example, dc=com"
- "cn={0}, ou=users, o=engineering, dc=example, dc=com"

#xpack.security.authc.realms.ssl.type: pki
xpack.security.transport.ssl.verification_mode: certificate
#xpack.security.authc.realms.ssl.order: 0
-bash-4.2$ `

pls help here

warkolm · September 29, 2021, 1:24am

You will need to share how you created your certificates please.

system · October 27, 2021, 1:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Failed to initialize a TrustManager for the system keystore (using elasticsearch-oss; i.e. no XPack) Elasticsearch	5	1316	May 31, 2022
Elasticsearch user creation fails Elasticsearch elastic-stack-security	3	881	April 13, 2022
Elastic password generate error Elasticsearch elastic-stack-security	3	877	November 7, 2022
Elasticsearch 7.2 java client SSL configuration failing: bad_certificate Elasticsearch	3	1882	September 25, 2019
Error changing certificate in Elasticsearch Elasticsearch elastic-stack-security	4	1504	May 30, 2022

Installing elasticsearch 7.12 , facing java.security.cert.CertificateException error while setting password/installation

Related Topics