Installing elasticsearch 7.12 , facing java.security.cert.CertificateException error while setting password/installation

I am setting Elasticsearch 7.12 cluster for the first time and i see below errors:

There seems to be some xpack setup issue:

`$ bin/Elasticsearch-setup-passwords interactive

warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME

08:51:29.774 [main] DEPRECATION org.Elasticsearch.deprecation.common.settings.Settings - [keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version.

08:51:29.781 [main] DEPRECATION org.Elasticsearch.deprecation.common.settings.Settings - [keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version.

08:51:30.686 [main] WARN org.Elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [10.203.36.162]; the server provided a certificate with subject name [C=US,ST=California,O=Apple Inc.,OU=management:idms.group.949016,CN=rn-boltd-lapp18.rno.apple.com] and fingerprint [8cb0da0a39b2df3b80ca3a8c4613c888b6f22f32]; the certificate has subject alternative names [DNS:rn-boltd-lapp18.rno.apple.com]; the certificate is issued by [C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple Corporate Server CA 1]; the certificate is signed by (subject [C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple Corporate Server CA 1] fingerprint [ba688c9b20190e2fa4edad752275fd4837bedcff]) signed by (subject [C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple Corporate Root CA] fingerprint [a171dcdee08b1bae30a1ae6cc6d4033bfdef91ce] {trusted issuer}) which is self-issued; the [C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple Corporate Root CA] certificate is trusted in this ssl context ([xpack.security.http.ssl])

java.security.cert.CertificateException: No subject alternative names matching IP address 10.203.36.162 found

at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:160) ~[?:?]

at sun.security.util.HostnameChecker.match(HostnameChecker.java:96) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:429) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) ~[?:?]

at org.Elasticsearch.common.ssl.DiagnosticTrustManager.checkServerTrusted(DiagnosticTrustManager.java:79) [Elasticsearch-ssl-config-7.12.1.jar:7.12.1]

at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:625) [?:?]

at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:460) [?:?]

at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360) [?:?]`

Below is my Elasticsearch.yml file:
`
cluster.name: bolt_elastic_stg_x
http.host: rn-XYXABC.XYZ.com
network.host: rn-XYXABC.XYZ.com
transport.tcp.port: 9300
node.name: MASTER1
node.master: true
node.data: true
http.port: 9200
discovery.zen.ping.unicast.hosts: ["rn-XYXABC.XYZ.com:9300", "rn-boltd-server2:9300","rn-boltd-server3:9300"]
path.data: /ngs/app/boltd/Elasticsearch/data
path.logs: /ngs/app/boltd/Elasticsearch/logs
bootstrap.system_call_filter: false
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.supported_protocols: TLSv1.2
xpack.security.http.ssl.client_authentication: optional
xpack.security.http.ssl.keystore.password: testpassword
xpack.security.http.ssl.keystore.path: /ngs/app/boltd/Elasticsearch/Elasticsearch-7.12.1/config/keystore/keystore.jks
xpack.security.transport.ssl.keystore.password: boltelastic
xpack.security.transport.ssl.keystore.path: /ngs/app/boltd/Elasticsearch/Elasticsearch-7.12.1/config/keystore/keystore.jks
xpack.security.transport.ssl.enabled: true
xpack.security.authc.realms:
ldap.ldap1:
order: 1
url: "ldaps://ldap.example.com/"
user_dn_templates:
- "cn={0}, ou=users, o=marketing, dc=example, dc=com"
- "cn={0}, ou=users, o=engineering, dc=example, dc=com"

#xpack.security.authc.realms.ssl.type: pki
xpack.security.transport.ssl.verification_mode: certificate
#xpack.security.authc.realms.ssl.order: 0
-bash-4.2$ `

pls help here

You will need to share how you created your certificates please.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.