I am using these below settings and newly created certificate for setting up Transport and HTTP security.
-
My setting in elasticsearch.yml is as below:
xpack.security.enabled : True
xpack.security.transport.ssl.enabled : True
xpack.security.transport.ssl.verification_mode : certificate
xpack.security.transport.ssl.key : /app/cd1/qa/elasticsearch-latest/config/certs/ucmelasticn.key
xpack.security.transport.ssl.certificate : /app/cd1/qa/elasticsearch-latest/config/certs/ucmelasticn.cer
xpack.security.transport.ssl.certificate_authorities : [ "/app/cd1/qa/elasticsearch-latest/config/certs/CorporationIssuing.crt" ]
xpack.security.transport.ssl.supported_protocols : [ "TLSv1.2" ]
xpack.security.http.ssl.enabled : True
xpack.security.http.ssl.verification_mode : certificate
xpack.security.http.ssl.key : /app/cd1/qa/elasticsearch-latest/config/certs/ucmelasticn.key
xpack.security.http.ssl.certificate : /app/cd1/qa/elasticsearch-latest/config/certs/ucmelasticn.cer
xpack.security.http.ssl.certificate_authorities : [ "/app/cd1/qa/elasticsearch-latest/config/certs/CorporationIssuing.crt" ]
xpack.security.http.ssl.supported_protocols : [ "TLSv1.2" ]
-
My elasticsearchcluster is of 8 nodes and i am just trying to bring up first master node only, Certificate is same for all 8 nodes as it contains DNS entries of all 8 nodes.
-
while i try to hit the url, I get following error:
C:\Program Files\Java\jdk1.8.0_291\bin>curl -v https://rt31a10088qv00:9200
- Rebuilt URL to: https://rt31a10088qv00:9200/
- Trying 10.200.77.27...
- TCP_NODELAY set
- Connected to rt31a10088qv00 (10.200.77.27) port 9200 (#0)
- schannel: SSL/TLS connection with rt31a10088qv00 port 9200 (step 1/3)
- schannel: checking server certificate revocation
- schannel: sending initial handshake data: sending 183 bytes...
- schannel: sent initial handshake data: sent 183 bytes
- schannel: SSL/TLS connection with rt31a10088qv00 port 9200 (step 2/3)
- schannel: failed to receive handshake, need more data
- schannel: SSL/TLS connection with rt31a10088qv00 port 9200 (step 2/3)
- schannel: encrypted data got 2400
- schannel: encrypted data buffer: offset 2400 length 4096
- schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
- Closing connection 0
- schannel: shutting down SSL/TLS connection with rt31a10088qv00 port 9200
- schannel: clear security context handle
curl: (35) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
Please advise.