Example when I create a cert with this command
./bin/elasticsearch-certutil cert --name logstash \
--ca-cert /home/sbrown/logstash/elasticsearch-8.10.4/certs/ca/ca.crt \
--ca-key /home/sbrown/logstash/elasticsearch-8.10.4/certs/ca/ca.key \
--dns stephenb-es-8-test \
--ip 10.168.0.12 --pem
Then I run
openssl x509 -text -noout -in certs/logstash/logstash.crt
...
X509v3 Subject Alternative Name:
IP Address:10.168.0.12, DNS:stephenb-es-8-test
X509v3 Basic Constraints:
And then Beats can do full validation with the IP or DNS but what I see in your certificate is JUST the DNS and you are connecting VIA IPs so the Subject Alternative Names do not match and thus can not do full
certificate validation.
That is why you are getting the error... it all lines up.
(Why it did work before I can not answer for you)
So when I run the curl with the IP I see this
$ curl -v --cacert /home/sbrown/logstash/elasticsearch-8.10.4/certs/ca/ca.crt https://10.168.0.12:5044
* Trying 10.168.0.12:5044...
* TCP_NODELAY set
* Connected to 10.168.0.12 (10.168.0.12) port 5044 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /home/sbrown/logstash/elasticsearch-8.10.4/certs/ca/ca.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
..........
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=logstash
* start date: Oct 29 21:02:43 2023 GMT
* expire date: Oct 28 21:02:43 2026 GMT
* subjectAltName: host "10.168.0.12" matched cert's IP address! <!---- HERE
* issuer: CN=Elastic Certificate Tool Autogenerated CA
* SSL certificate verify ok.
I even tested when I created a cert with the IP in the DNS SAN ...
$ ./bin/elasticsearch-certutil cert --name logstashbad \
--ca-cert /home/sbrown/logstash/elasticsearch-8.10.4/certs/ca/ca.crt
--ca-key /home/sbrown/logstash/elasticsearch-8.10.4/certs/ca/ca.key
--dns 10.168.0.12 --pem
I get the error
curl -v --cacert /home/sbrown/logstash/elasticsearch-8.10.4/certs/ca/ca.crt https://10.168.0.12:5044
* Server certificate:
* subject: CN=logstashbad
* start date: Oct 30 05:39:09 2023 GMT
* expire date: Oct 29 05:39:09 2026 GMT
* subjectAltName does not match 10.168.0.12
* SSL: no alternative certificate subject name matches target host name '10.168.0.12'
and I see
$ openssl x509 -in logstashbad.crt -noout -text
.....
X509v3 Subject Alternative Name:
DNS:10.168.0.12
X509v3 Basic Constraints:
CA:FALSE
So I just reproduced what you are seeing... (Why it worked before I am unclear) but I am pretty sure that is the problem
You have IPs Address in the DNS SANS Section in you certs and that is why full
certificate validation if failing.
I think ...Hmmm why did it change / work before... .. Hmmm
And in general... if I never had to mess with another cert in my career I would be Happy!