hello stephen
Thank you for taking the time to answer me as always
my apologies I'm quite new to the community, I didn't know the rules
I went into one of the nodes and run the command:
curl -v --cacert /etc/elasticsearch/certs/elasticsearch-ca.pem -u elastic https://localhost:9200
and here is its output:
root@elasticsearch1:/home/elasticsearch1# curl -v --cacert /etc/elasticsearch/certs/elasticsearch-ca.pem -u elastic https://localhost:9200
Enter host password for user 'elastic':
* Trying 127.0.0.1:9200...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/elasticsearch/certs/elasticsearch-ca.pem
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=node-1
* start date: Jul 31 17:19:11 2024 GMT
* expire date: Jul 31 17:19:11 2029 GMT
* subjectAltName does not match localhost
* SSL: no alternative certificate subject name matches target host name 'localhost'
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'localhost'
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I think its because the SSL certificate used by Elasticsearch does not have localhost
listed as a valid subjectAltName
(SAN).
when I Bypass the Certificate Validation using this command
curl -v -k -u elastic https://localhost:9200
it works same this for the integration when I added verification_mode: none
in the SSL configuration of the integration
but this is not recommended for production environments, therefore are there other solutions like regenerating the certificate with localhost
in SAN for each node certification as explained in here: Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [8.15] | Elastic
or any other solution that ensures security ?
thank you!