using version
Elasticsearch 7.16.1
curl 7.74.0
detail
I configured traffic filters using AWS PrivateLink. (Configured with reference to the official documentation.)
I have created 2 VPC endpoints, and 2 CNAME records like these
- *.env1.vpce.ap-northeast-1.aws.elastic-cloud.com
- *.env2.vpce.ap-northeast-1.aws.elastic-cloud.com
Then I tried to connect to Elasticsearch with curl and got a SSL certificate verify error.
$ curl -u elastic:XXXXXXXXX -XGET 'https://my-cluster.es.env1.vpce.ap-northeast-1.aws.elastic-cloud.com/_cat/indices?v' -v
* Trying 10.XX.XXX.XXX:443...
* Connected to my-cluster.es.env1.vpce.ap-northeast-1.aws.elastic-cloud.com (10.XX.XXX.XXX) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.ap-northeast-1.aws.elastic-cloud.com
* start date: Jul 22 01:31:02 2022 GMT
* expire date: Oct 20 01:31:01 2022 GMT
* subjectAltName does not match my-cluster.es.env1.vpce.ap-northeast-1.aws.elastic-cloud.com
* SSL: no alternative certificate subject name matches target host name 'my-cluster.es.env1.vpce.ap-northeast-1.aws.elastic-cloud.com'
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'my-cluster.es.env1.vpce.ap-northeast-1.aws.elastic-cloud.com'
On the other hand, if I skip the certificate verify with the -k option, the response comes back.
$ curl -k -u elastic:XXXXXXXXX -XGET 'https://my-cluster.es.env1.vpce.ap-northeast-1.aws.elastic-cloud.com/_cat/indices?v'
health status index
green open .ent-search-actastic-workplace_search_accounts_v16
...
For security reasons, I would like to modify the SSL communication to succeed without the k option.
Please advise me on the configuration items that need to be corrected.