Hi, am trying to enable TLS communication from Kibana/Logstash to Elasticsearch. It works from Kibana to Elasticsearch, but seeing this error when tried from Logstash:
[2021-10-26T14:26:37,751][ERROR][logstash.javapipeline ] Pipeline error {:pipeline_id=>"logs1-server1", :exception=>#<Manticore::UnknownException: Host name 'elsticuat01.xxx.com' does not match the certificate subject provided by the peer (CN=abcd, DC=com)>, :backtrace=>[".....
I am trying to use our company signed certs, instead of self-signed certs.
Here's what I entered while creating the CSR using Elasticsearch-certutil http command:
## Do you wish to generate a Certificate Signing Request (CSR)?
Generate a CSR? [y/N]y
## Do you wish to generate one certificate per node?
Generate a certificate per node? [y/N]N
## Which hostnames will be used to connect to your nodes?
You entered the following hostnames.
- UAT_cluster_elasticnodes*.xyz.com
- SYS_cluster_elasticnodes*.xyz.com
- SYS_logstash_nodes*.xyz.com
- UAT_logstash_nodes*.xyz.com
## Which IP addresses will be used to connect to your nodes?
You did not enter any IP addresses.
Is this correct [Y/n]Y
## Other certificate options
Key Name: UAT_elasticnodexyz.com.com
Subject DN: CN=UAT_elasticnodexyz.com, DC=com
Key Size: 2048
Do you wish to change any of these options? [y/N]N
## What password do you want for your private key(s)?
Entered private key
## Where should we save the generated files?
Also, tried connecting from curl command and see this error:
curl -v --cacert company_root.crt https://UAT_elasticuat01.xyz.com:9200
* About to connect() to UAT_elasticuat01.xyz.com port 9200 (#0)
* Trying 10.35.82.211...
* Connected to UAT_elasticuat01.xyz.com (10.35.82.211) port 9200 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: company_root.crt
CApath: none
* Server certificate:
* subject: CN=uat_logstash,DC=com
* start date: Oct 22 18:40:02 2021 GMT
* expire date: Oct 23 04:59:59 2022 GMT
* common name: uat_logstash
* issuer: CN=company details
* NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
* Unable to communicate securely with peer: requested domain name does not match the server's certificate.
* Closing connection 0
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
Logstash config looks like this:
output {
elasticsearch
{
hosts => ["https://uat-elstic1.company.com:9200" , "https://uat-elstic2.company.com:9200" , "https://uat-elstic3.company.com:9200"]
ssl => true
cacert => "/pathto/company_root.crt"
#ssl_certificate_verification => false
..
}
It works when I used ssl_verification = false as expected.
When generating the CSR - I mentioned all elastic & logstash nodes that could connect to this cluster. Before I try testing with wildcard name in the hostnames that connect to ES nodes(*.company.com), wanted to see if am missing something else.
Thanks much!