SSL Connection fail on Elastic 7.8.0 in Docker Container

Hey folks,

Following these instructions, I've installed a single node Elastic 7.8.0 on docker.

Then I create default certs and keys with
bin/elasticsearch-certutil ca
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

I move the .p12 to congifs/certs
To stop a previous error, I update the .p12 to have permissions 1000:1000

Then I edit config/elasticsearch.yml and add

cluster.name: "docker-cluster"
network.host: 0.0.0.0 # also tried the docker ip 123.1.0.1
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: "/usr/share/elasticsearch/config/certs/elastic-certificates.p12"
xpack.security.transport.ssl.truststore.path: "/usr/share/elasticsearch/config/certs/elastic-certificates.p12"
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "/usr/share/elasticsearch/config/certs/elastic-certificates.p12"
xpack.security.http.ssl.truststore.path: "/usr/share/elasticsearch/config/certs/elastic-certificates.p12"

Then restart the container

When I go to set user passwords with
bin/elasticsearch-setup-passwords interactive

I get this error

WARN  org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [123.1.0.1]; the server provided a certificate with subject name [CN=instance] and fingerprint [d5a8c37fd3bbf48327e4753452c2b4ebe12660f2]; the certificate does not have any subject alternative names; the certificate is issued by [CN=Elastic Certificate Tool Autogenerated CA]; the certificate is signed by (subject [CN=Elastic Certificate Tool Autogenerated CA] fingerprint [75af257949c76373a50ff4fa2f90c97aaf7f10f1] {trusted issuer}) which is self-issued; the [CN=Elastic Certificate Tool Autogenerated CA] certificate is trusted in this ssl context ([xpack.security.http.ssl])

    [x-pack-security-7.8.0.jar:7.8.0]
                    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-7.8.0.jar:7.8.0]
                    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127) [elasticsearch-cli-7.8.0.jar:7.8.0]
                    at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:91) [elasticsearch-cli-7.8.0.jar:7.8.0]
                    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127) [elasticsearch-cli-7.8.0.jar:7.8.0]
                    at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-7.8.0.jar:7.8.0]
                    at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool.main(SetupPasswordTool.java:116) [x-pack-security-7.8.0.jar:7.8.0] 

    SSL connection to https://123.1.0.1:9200/_security/_authenticate?pretty failed: No subject alternative names present
    Please check the elasticsearch SSL settings under xpack.security.http.ssl.

    ERROR: Failed to establish SSL connection to elasticsearch at https://123.1.0.1:9200/_security/_authenticate?pretty.

I've troubleshooted this for couple days and checked this forum plenty.

  • 123.1.0.1 is the ip of the docker container with elastic.
    I tried updating the config yml so the host ip = 123.1.0.1 but no effect.

  • If I first set only TLS (not HTTPS), then I am able to set user passwords, but when I activate http.ssl I get error message on elastic search boot up:
    {"type": "server", "timestamp": "2020-06-24T22:47:48,739Z", "level": "WARN", "component": "o.e.b.BootstrapChecks", "cluster.name": "docker-cluster", "node.name": "d3b0717b5f42", "message": "Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport. SSL .enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]" }
    And when I check config for xpack.security.transport.ssl.enabled: true it's still there

Why not the next page in that series, i.e. Encrypting communications in an Elasticsearch Docker Container | Elasticsearch Guide [7.8] | Elastic which is specifically about docker ?

The actual error is printed in the output:

SSL connection to https://123.1.0.1:9200/_security/_authenticate?pretty failed: No subject alternative names present

You'd need to recreate your certificates and add the IP ( 123.1.0.1 ) as a SAN , see the --ip flag in elasticsearch-certutil | Elasticsearch Guide [8.11] | Elastic

1 Like

Thanks, that worked.
I didnt use those docker instructions, cause I'm not using Docker Compose.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.