Hi,
I have setup a multi-node elasticsearch cluster successfully and turned on TLS to encrypt traffic between the nodes and also into the cluster. I am using an external load balancer which resolves to a domain of, say
domain.com
I used the certutil tool on one of the nodes to generate a p12 certificate authority and certificate. I then copied the certificate to all of the other nodes. All of the nodes start successfully and I can see that they are talking to each other correctly.
When I try and set the passwords for the built-in users, I get an error:
/usr/share/elasticsearch/bin/x-pack/setup-passwords auto -v
Running with configuration path: /etc/elasticsearch
Testing if bootstrap password is valid for https://10.4.0.4:9200/_xpack/security/_authenticate?pretty
SSL connection to https://10.4.0.4:9200/_xpack/security/_authenticate?pretty failed: java.security.cert.CertificateException: No subject alternative names present
Please check the elasticsearch SSL settings under xpack.security.http.ssl.
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
So, the question is do I need to use the certutil tool to generate new certificates that are different for each node? Do I need to specify all the ip addresses and names for each node in the certificate as well as the common domain name?
The online documentation doesn't really seem to address this situation.
All Ideas gratefully received