Multi-node cluster setup-passwords fails


(Kenneth) #1

Hi,

I have setup a multi-node elasticsearch cluster successfully and turned on TLS to encrypt traffic between the nodes and also into the cluster. I am using an external load balancer which resolves to a domain of, say
domain.com

I used the certutil tool on one of the nodes to generate a p12 certificate authority and certificate. I then copied the certificate to all of the other nodes. All of the nodes start successfully and I can see that they are talking to each other correctly.

When I try and set the passwords for the built-in users, I get an error:

/usr/share/elasticsearch/bin/x-pack/setup-passwords auto -v
Running with configuration path: /etc/elasticsearch

Testing if bootstrap password is valid for https://10.4.0.4:9200/_xpack/security/_authenticate?pretty

SSL connection to https://10.4.0.4:9200/_xpack/security/_authenticate?pretty failed: java.security.cert.CertificateException: No subject alternative names present
Please check the elasticsearch SSL settings under xpack.security.http.ssl.

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

So, the question is do I need to use the certutil tool to generate new certificates that are different for each node? Do I need to specify all the ip addresses and names for each node in the certificate as well as the common domain name?

The online documentation doesn't really seem to address this situation.

All Ideas gratefully received


(Yogesh Gaikwad) #2

Hi @KeninHouston,

You are on the right track.
Looks like you do not have SAN present in the generated certificate applied to all nodes.
It would be good to re-generate certificates as described with all IPs and DNS names. We think its always good to go with full mode for verification_mode as this involves security and other options are less secure.
To ease with the certificate generation for different nodes you could use following silent mode with the input file with node details like IPs and DNS names:
https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html#certutil-silent
Just to note documentation does make a recommendation for SAN details but please let us know if you would want us to explicitly mention any more details, suggestions welcome.

Hope this helps.

Regards,
Yogesh Gaikwad


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.