Logstash- Unable to retrieve license information from license server

Trying to setup ELK stack on my on-premise K8S cluster using helm charts. Have enabled x-pack security and both Elasticsearch and kibana are working fine after enabling transport, http security
I have used elasticsearch-certutil to create self signed certificate

When i try to run the logstash, i get the following error

[ERROR][logstash.licensechecker.licensereader] Unable to retrieve license information from license server {:message=>"Host name 'elasticsearch-master' does not match the certificate subject provided by the peer (CN=instance)"}

xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/usr/share/logstash/config/elastic-certificares.crt"
xpack.monitoring.elasticsearch.ssl.verification_mode: "certificate"
xpack.monitoring.elasticsearch.hosts: [ "https://elasticsearch-master:9200"]
xpack.monitoring.elasticsearch.username: "logstash_system"
xpack.monitoring.elasticsearch.password: "***"

I am using the same set of certificate for logstash and have already set the ssl verification_mode to certificate, then why is it validating the hostname ?

Have been stuck with this issue and really appreaciate any help

1 Like

Did you read the documentation?

Option to validate the server’s certificate. Defaults to certificate . To disable, set to none . Disabling this severely compromises security.

Hi @Badger

Thanks for your reply. This setting i saw in the elasticsearch securitysetting allows you to disable hostname verification as i understood

You can optionally provide IP addresses or DNS names for each instance. If neither IP addresses nor DNS names are specified, the Elastic Stack products cannot perform hostname verification and you might need to configure the verification_mode security setting to certificate only

https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html#certutil-cert

Can you pls suggest how to disable hostname validation in logstash if i am using the incorrect setting? And ofcourse i dont want to set ti "none"

You are quoting the documentation for xpack.security.transport.ssl.verification_mode. That has three options (full, certificate, none). As I understand it, xpack.monitoring.elasticsearch.ssl.verification_mode has only two (certificate, which really means full, and none). And yes, folks are aware that this is confusing, but once you have made a less than perfect choice naming something it tends to be pretty hard to fix it without blowing up the installed base.

What finally worked for me, was to like you suggested - blowup the cluster, recreate them using a new certificate were CN of certificate matches elasticsearch.hosts

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.