TSL: Unable to connect to remote cluster, certificate missing "common-names"


We would like to use markdown to display images on our Kibana dashboards which are hosted in the cloud (i.e.: "Elastic Cloud").

Those images are confidential. As such, we cannot host them on a server accessible from outside our network. This prevents us from accessing them from our Kibana cloud instance.

As an alternative, I thought of hosting Kibana internally, yet have it connect to our Elastic cloud instance. The server hosting Kibana would be on our internal network. My hopes would be that we could specify a path in markdown pointing a location on our internal NAS.

This led me to learn more about "Remote Clusters" and Cross Cluster Search.

I configured an Elastic stack (v8.5.2, same as our cloud instance) on a machine on our network and followed the various guides to setup TSL on the transport port.

I have created a CA using:

elasticsearch-certutil ca --pem --ca-dn CN=hussein_local_CA

I created a "Trusted Environment" on my cloud instance using that CA certificate.

I then created a certificate using that CA, the output file being "elastic-certificates.p12":

elasticsearch-certutil cert --ca-cert ca.crt --ca-key ca.key

I downloaded the CA certificate from my cloud instance and imported it into the truststore "elastic-certificates.p12" using:

keytool.exe -importcert -trustcacerts -noprompt -keystore elastic-certificates.p12 -storepass X -alias X -file CloudInstanceCAFile.crt

Here is what my elastic.yml on my local instance looks like:

Finally, on my local Elastic instance, I've added my cloud instance as a remote cluster.

Unfortunately, when attempting to establish a connection, the cloud instance returns the following error:

The CA is trusted, yet for some reason the certificate is not verified against the known trusted names.

I synced elastic's code from Git and looked at what could possibly represent those "common-names" that seem to be missing. I found the following in RestrictedTrustManager.java:

Using elasticsearch-certutil cert, I'm not sure exactly how to specify the attributes its looking for.

Any help would be greatly appreciated.


To generate the required common-name, you need use eleaticsearch-certutil with YAML input

The common name can be specified with the cn attribute, e.g.:

  - name: "node1" 
    cn: "my-common-name"
      - ""
      - "node1.mydomain.com"

This worked great, thank you ! I could have missed it, but I believe this step is not part of the official documentations for TSL / remote clusters configuration. It could be worth adding.

Thanks again !

Elastic Cloud documents its SAN otherName format requirement here.

SAN otherName is a key/value pair. The key is CN. That is the CN value in the YAML file mentioned by @Yang_Wang, so it does seem to be documented.

Thanks @Justin_Cranford.

The elastic-certutil documentation tells you about YML support, but doesn't provide an example for setting the CN value.

Looking at the help prompt in command line for certutil, -E should be used to "configure a setting" using a KVP format, but I couldn't find an example. I've tried using that flag with no success.

The Remote Clusters documentation takes you to the Configure remote clusters with security page, which in turn takes you to the Set up basic security for the Elastic stack page.

That page shows a certificate generation example using elasticsearch-certutil cert but doesn't mention having to use YML to configure SAN otherName.

I'm mostly looking at this from the POV of someone not familiar with SSL/TSL, there's a lot to digest and not all of it is immediately apparent.

1 Like

Thank you! That is great feedback.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.