I am setting up TLS on 6.1 and am having problems running set-password.
I configure ES as follows:
rm -rf elasticsearch-6.1.2
cp elasticsearch.yml /config
./bin/elasticsearch-plugin install file:///./x-pack-6.1.2.zip
/elasticsearch-6.1.2/bin/x-pack/certutil ca -pass '' -out elastic-stack-ca.p12
/elasticsearch-6.1.2/bin/x-pack/certutil cert ca -pass '' elastic-stack-ca.p12 -out elastic-certificates.p12
The docs say
"By default certutil generates certificates that have no hostname information in them (that is, they do not have any Subject Alternative Name fields). This means that you can use the certificate for every node in your cluster, but you must turn off hostname verification as shown in the configuration below."
This is what I want as it is all going to run on AWS using Terraform/Packer and when I launch an instance, I want the node to have a certificate that can be run on any node.
However when I run set-up password, I receive the following error.
My x-pack settings are
xpack.monitoring.enabled : true
xpack.security.enabled : true
xpack.graph.enabled : false
xpack.ml.enabled : false
bootstrap.system_call_filter : false
SSL connection to https://x.x.x.x:9200/_xpack/security/_authenticate?pretty failed: java.security.cert .CertificateException: No subject alternative names present
Please check the elasticsearch SSL settings under xpack.security.http.ssl.
However I specifically don't want to use a SAN for the reason stated above.
Am I doing anything wrong? What can I do to reolve the issues.