We do our best to detect all IP addresses of the interfaces that are up when elasticsearch is installed and then use them as IP Subject Alternative Names in the HTTP TLS certificate. How is the networking configured for your VM ? Is 10.24.1.5 an IP address that the VM itself is aware of or are you using NAT ?
If you still have these around, you can take a look at what IP addresses we found out by inspecting the certificate. (I'm assuming you have installed this with the DEB package, so the following commands apply to that )
# /usr/share/elasticsearch/bin/elasticsearch-keystore show xpack.security.http.ssl.keystore.secure_password
will show you the password for the http.p12 keystore. Then you can run
keytool -keystore /etc/elasticsearch/config/certs/http.p12 -storepass <password_you_got_above> -list -v
and look at the section that starts with Alias name: http.
As to what you can do now, you can either:
- Reinstall elasticsearch and use an IP address/hostname to access it that exists in the SANs of the certificate. Use the enrollment process as described in to configure Kibana
or
- Manually configure TLS following the instructions we have in Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [8.11] | Elastic
We will track this and see if it makes sense to allow creating kibana enrollment tokens with manual/custom TLS setups and/or enhance the error message to make it clearer why it fails. Thanks for reporting this @maof97 !