I have a three node implementation cluster for Elastic stack on three different VMs and I am using version 7.16.2 with basic license. I have set up two layers of security and working on the last one which is "setting up basic security plus secured HTTP Traffic".
I am following this URL.
At first, I encrypted Http client communication for Elasticsearch like this.
C:\ELK7.16.2\elasticsearch-7.16.2\bin>elasticsearch-certutil http ## Elasticsearch HTTP Certificate Utility The 'http' command guides you through the process of generating certificates for use on the HTTP (Rest) interface for Elasticsearch. This tool will ask you a number of questions in order to generate the right set of files for your needs. Generate a CSR? [y/N]n Use an existing CA? [y/N]y ## What is the path to your CA? CA Path: C:\ELK7.16.2\elasticsearch-7.16.2\elastic-stack-ca.p12 Reading a PKCS12 keystore requires a password. It is possible for the keystore's password to be blank, in which case you can simply press <ENTER> at the prompt Password for elastic-stack-ca.p12: ## How long should your certificates be valid? You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D) For how long should your certificate be valid? [5y] 5Y ## Do you wish to generate one certificate per node? Generate a certificate per node? [y/N]y ## What is the name of node #1? This name will be used as part of the certificate file name, and as a descriptive name within the certificate. You can use any descriptive name that you like, but we recommend using the name of the Elasticsearch node. node #1 name: fs-master ## Which hostnames will be used to connect to fs-master? These hostnames will be added as "DNS" names in the "Subject Alternative Name" (SAN) field in your certificate. You should list every hostname and variant that people will use to connect to your cluster over http. Do not list IP addresses here, you will be asked to enter them later. If you wish to use a wildcard certificate (for example *.es.example.com) you can enter that here. Enter all the hostnames that you need, one per line. When you are done, press <ENTER> once more to move on to the next step. s**6.oma.de-er.net s**7.oma.de-er.net You entered the following hostnames. -s**6.oma.de-er.net -s**7.oma.de-er.net Is this correct [Y/n]y ## Which IP addresses will be used to connect to fs-master? If your clients will ever connect to your nodes by numeric IP address, then you can list these as valid IP "Subject Alternative Name" (SAN) fields in your certificate. If you do not have fixed IP addresses, or not wish to support direct IP access to your cluster then you can just press <ENTER> to skip this step. Enter all the IP addresses that you need, one per line. When you are done, press <ENTER> once more to move on to the next step. 7.**.**.21 7.**.**.22 You entered the following IP addresses. -7.**.**.21 -7.**.**.22 Is this correct [Y/n]y ## Other certificate options The generated certificate will have the following additional configuration values. These values have been selected based on a combination of the information you have provided above and secure defaults. You should not need to change these values unless you have specific requirements. Key Name: fs-master Subject DN: CN=fs-master Key Size: 2048 Do you wish to change any of these options? [y/N]n Generate additional certificates? [Y/n]n ## What password do you want for your private key(s)? Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12". This type of keystore is always password protected, but it is possible to use a blank password. If you wish to use a blank password, simply press <enter> at the prompt below. Provide a password for the "http.p12" file: [<ENTER> for none] Repeat password to confirm: ## Where should we save the generated files? A number of files will be generated including your private key(s), public certificate(s), and sample configuration options for Elastic Stack products. These files will be included in a single zip archive. What filename should be used for the output zip file? [C:\ELK7.16.2\elasticsearch-7.16.2\elasticsearch-ssl-http.zip] Zip file written to C:\ELK7.16.2\elasticsearch-7.16.2\elasticsearch-ssl-http.zip
then I changed some configuration and everything worked allright. but when I added Elasticsearch-ca.pem certificate to kibana config and tried to run kibana. it gave me following error.
log [15:14:33.005] [error][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. Hostname/IP does not match certificate's altnames: Host: s**8.oma.de-er.net. is not in the cert's altnames: IP Address:7.**.**.21, IP Address:7.**.**.22, DNS:s**6.oma.de-er.net, DNS:s**7.oma.de-er.net
Following are my Elasticsearch.yml and kibana.yml
cluster.name: FsSearch node.name: fs-master node.master: true path.data: E:\LandingZone\Elastic\fs-master\Data path.logs: C:\ELK7.16.2\elasticsearch-7.16.2\logs network.host: 7.**.**.23 http.port: 9200 discovery.seed_hosts: ["7.**.**.21", "7.**.**.22", "7.**.**.23"] cluster.initial_master_nodes: ["7.**.**.23"] xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.http.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.client_authentication: required xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.keystore.path: http.p12
server.port: 5601 server.host: "//s**8.oma.de-er.net" server.publicBaseUrl: "https://s**8.oma.de-er.net:5601" elasticsearch.hosts: ["https://s**8.oma.de-er.net:9200"] elasticsearch.username: "kibana_system" elasticsearch.ssl.certificateAuthorities: "C:/ELK7.16.2/kibana-7.16.2-windows-x86_64/config/elasticsearch-ca.pem"
Can someone please help me with this problem? I am not sure where am I going wrong?