No SAN option available in verbose mode of elasticsearch-certutil

I was setting up the SSL certificates for Kibana, and when I tried to generate a enrollment token, using this command:

(as root)
/usr/share/elasticsearch# bin/elasticsearch-create-enrollment-token -s kibana

I got the following error:

java.security.cert.CertificateException: No subject alternative names present

Looking some topics, I found out that to solve this I have to re-generate the certificate adding the SAN. But using certutil there's no mention to any option that allows to fill this field, except if I use the silent mode (that allows to set some parameters within a .yml that in the end results in filling the SAN field)

I don't want to create a .yml, because I'm doing in a single node cluster for only localhost server, and start all the process again of configuring the SSL connection.

Any Ideas why? How can I generate a proper certification using certutil in verbose mode?

Thank you

elasticsearch-create-enrollment-token is only designed to work on clusters where security was auto configured.
You might make it work by updating your certificates to have the required SAN entries, but I can't guarantee it - you might just run into a new problem after that.

A "SAN" isn't really a single thing. It's one section (extension) in the certificate but it has multiple field types within it, so there isn't a way to tell certutil to "add a SAN" you need to be explicit about which type of field you want to add.

The relevant command line options to certutil are:

• --ip <IP_addresses>
• --dns <domain_name>

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.