SSL certificate verify failed when connecting using Route53 CNAME records

Elastic Stack Elasticsearch
1

using version

Elasticsearch 7.16.1
curl 7.74.0

detail

I configured traffic filters using AWS PrivateLink. (Configured with reference to the official documentation.)
I have created 2 VPC endpoints, and 2 CNAME records like these

  • *.env1.vpce.ap-northeast-1.aws.elastic-cloud.com
  • *.env2.vpce.ap-northeast-1.aws.elastic-cloud.com

Then I tried to connect to Elasticsearch with curl and got a SSL certificate verify error.

$ curl -u elastic:XXXXXXXXX -XGET 'https://my-cluster.es.env1.vpce.ap-northeast-1.aws.elastic-cloud.com/_cat/indices?v' -v
*   Trying 10.XX.XXX.XXX:443...
* Connected to my-cluster.es.env1.vpce.ap-northeast-1.aws.elastic-cloud.com (10.XX.XXX.XXX) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.ap-northeast-1.aws.elastic-cloud.com
*  start date: Jul 22 01:31:02 2022 GMT
*  expire date: Oct 20 01:31:01 2022 GMT
*  subjectAltName does not match my-cluster.es.env1.vpce.ap-northeast-1.aws.elastic-cloud.com
* SSL: no alternative certificate subject name matches target host name 'my-cluster.es.env1.vpce.ap-northeast-1.aws.elastic-cloud.com'
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'my-cluster.es.env1.vpce.ap-northeast-1.aws.elastic-cloud.com'

On the other hand, if I skip the certificate verify with the -k option, the response comes back.

$ curl -k -u elastic:XXXXXXXXX -XGET 'https://my-cluster.es.env1.vpce.ap-northeast-1.aws.elastic-cloud.com/_cat/indices?v'
health status index
green open .ent-search-actastic-workplace_search_accounts_v16
...

For security reasons, I would like to modify the SSL communication to succeed without the k option.
Please advise me on the configuration items that need to be corrected.

3

Hi @r-uehara0219 Welcome to the community and thanks for trying Elastic Cloud.

Quick look to me you have an extra layer of domain in you vpc endpoint url.

Perhaps take a closer look at the docs and retry following the steps exactly and don't add another level of domain.

Test the connection.

Find out the endpoint of your deployment. You can do that by selecting Copy endpoint in the Cloud UI. It looks something like my-deployment-d53192.es.us-east-1.aws.found.io. my-deployment-d53192 is an alias, and es is the product you want to access within your deployment.

To access your Elasticsearch cluster over PrivateLink:

  • If you have a custom endpoint alias configured, you can use the custom endpoint URL to connect.
  • Alternatively, use the following URL structure:https://{alias}.{product}.{private_hosted_zone_domain_name}For example:https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com

Yours looks like

https://my-cluster.es.env1.vpce.ap-northeast-1.aws.elastic-cloud.com

with the .env1 in it so it is not matching the Cert CNAME.

Where it should probably look like

https://my-cluster.es.vpce.ap-northeast-1.aws.elastic-cloud.com

BTW you can open a support ticket since you are a Elastic Cloud Customer

4

Thank you for your response!
I will re-create the resource and try again.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.