SSL error from logstash to elastic

Hi, am trying to enable TLS communication from Kibana/Logstash to Elasticsearch. It works from Kibana to Elasticsearch, but seeing this error when tried from Logstash:

[2021-10-26T14:26:37,751][ERROR][logstash.javapipeline    ] Pipeline error {:pipeline_id=>"logs1-server1", :exception=>#<Manticore::UnknownException: Host name 'elsticuat01.xxx.com' does not match the certificate subject provided by the peer (CN=abcd, DC=com)>, :backtrace=>[".....

I am trying to use our company signed certs, instead of self-signed certs.

Here's what I entered while creating the CSR using Elasticsearch-certutil http command:

## Do you wish to generate a Certificate Signing Request (CSR)?
Generate a CSR? [y/N]y
## Do you wish to generate one certificate per node?
Generate a certificate per node? [y/N]N
## Which hostnames will be used to connect to your nodes?
You entered the following hostnames.
 - UAT_cluster_elasticnodes*.xyz.com
 - SYS_cluster_elasticnodes*.xyz.com
 - SYS_logstash_nodes*.xyz.com
 - UAT_logstash_nodes*.xyz.com
## Which IP addresses will be used to connect to your nodes?
You did not enter any IP addresses.
Is this correct [Y/n]Y
## Other certificate options
Key Name: UAT_elasticnodexyz.com.com
Subject DN: CN=UAT_elasticnodexyz.com, DC=com
Key Size: 2048
Do you wish to change any of these options? [y/N]N
## What password do you want for your private key(s)?
Entered private key
## Where should we save the generated files?

Also, tried connecting from curl command and see this error:

curl -v --cacert company_root.crt https://UAT_elasticuat01.xyz.com:9200
* About to connect() to UAT_elasticuat01.xyz.com port 9200 (#0)
*   Trying 10.35.82.211...
* Connected to UAT_elasticuat01.xyz.com (10.35.82.211) port 9200 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: company_root.crt
  CApath: none
* Server certificate:
*       subject: CN=uat_logstash,DC=com
*       start date: Oct 22 18:40:02 2021 GMT
*       expire date: Oct 23 04:59:59 2022 GMT
*       common name: uat_logstash
*       issuer: CN=company details
* NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
* Unable to communicate securely with peer: requested domain name does not match the server's certificate.
* Closing connection 0
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

Logstash config looks like this:

output {
 elasticsearch
 {
hosts => ["https://uat-elstic1.company.com:9200" , "https://uat-elstic2.company.com:9200" , "https://uat-elstic3.company.com:9200"]
ssl => true
cacert => "/pathto/company_root.crt"
#ssl_certificate_verification => false
..
}

It works when I used ssl_verification = false as expected.

When generating the CSR - I mentioned all elastic & logstash nodes that could connect to this cluster. Before I try testing with wildcard name in the hostnames that connect to ES nodes(*.company.com), wanted to see if am missing something else.

Thanks much!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.