The target principal name is incorrect

I am using these below settings and newly created certificate for setting up Transport and HTTP security.

  1. My setting in elasticsearch.yml is as below:
    xpack.security.enabled : True

xpack.security.transport.ssl.enabled : True
xpack.security.transport.ssl.verification_mode : certificate
xpack.security.transport.ssl.key : /app/cd1/qa/elasticsearch-latest/config/certs/ucmelasticn.key
xpack.security.transport.ssl.certificate : /app/cd1/qa/elasticsearch-latest/config/certs/ucmelasticn.cer
xpack.security.transport.ssl.certificate_authorities : [ "/app/cd1/qa/elasticsearch-latest/config/certs/CorporationIssuing.crt" ]
xpack.security.transport.ssl.supported_protocols : [ "TLSv1.2" ]

xpack.security.http.ssl.enabled : True
xpack.security.http.ssl.verification_mode : certificate
xpack.security.http.ssl.key : /app/cd1/qa/elasticsearch-latest/config/certs/ucmelasticn.key
xpack.security.http.ssl.certificate : /app/cd1/qa/elasticsearch-latest/config/certs/ucmelasticn.cer
xpack.security.http.ssl.certificate_authorities : [ "/app/cd1/qa/elasticsearch-latest/config/certs/CorporationIssuing.crt" ]
xpack.security.http.ssl.supported_protocols : [ "TLSv1.2" ]

  1. My elasticsearchcluster is of 8 nodes and i am just trying to bring up first master node only, Certificate is same for all 8 nodes as it contains DNS entries of all 8 nodes.

  2. while i try to hit the url, I get following error:

C:\Program Files\Java\jdk1.8.0_291\bin>curl -v https://rt31a10088qv00:9200

  • Rebuilt URL to: https://rt31a10088qv00:9200/
  • Trying 10.200.77.27...
  • TCP_NODELAY set
  • Connected to rt31a10088qv00 (10.200.77.27) port 9200 (#0)
  • schannel: SSL/TLS connection with rt31a10088qv00 port 9200 (step 1/3)
  • schannel: checking server certificate revocation
  • schannel: sending initial handshake data: sending 183 bytes...
  • schannel: sent initial handshake data: sent 183 bytes
  • schannel: SSL/TLS connection with rt31a10088qv00 port 9200 (step 2/3)
  • schannel: failed to receive handshake, need more data
  • schannel: SSL/TLS connection with rt31a10088qv00 port 9200 (step 2/3)
  • schannel: encrypted data got 2400
  • schannel: encrypted data buffer: offset 2400 length 4096
  • schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
  • Closing connection 0
  • schannel: shutting down SSL/TLS connection with rt31a10088qv00 port 9200
  • schannel: clear security context handle
    curl: (35) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.

Please advise.

This is Schannel being particular cryptic in its error messages.

The most probable explanation is that the certificate you are using (ucmelasticn.cer) is not valid for the hostname your are providing to curl ( rt31a10088qv00).

  1. I added "-k" option in curl and it worked as below.
  2. I also tried using https connection from java by allowing untrusted https connection and was able to push data in elastic. I
 curl reply is below: 
 curl -k  https://localhost:9200
{
  "name" : "rt31a10088qv00.bnymellon.net-master",
  "cluster_name" : "cd1-qtxa-elastic-cluster-qa-primary",
  "cluster_uuid" : "TdvBInVNQtGmMDtTfpt2bw",
  "version" : {
    "number" : "7.6.1",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "aa751e09be0a5072e8570670309b1f12348f023b",
    "build_date" : "2020-02-29T00:15:25.529771Z",
    "build_snapshot" : false,
    "lucene_version" : "8.4.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

My question: Does it mean certificates are good or have some issues that will create problem later? Any thoughts/suggestions will be highly appreciated. Thank you