Using single certificate which contains multiple SANs

(Prasanth Prasad) #1

Is it possible to use a single certificate (which contains multiple SANs) in all the nodes in 6.3 Elasticsearch cluster? (I want to use xpack.ssl.verification_mode=full)

For example, I have a 5 node cluster and my certificate's Subject Alternative Name looks like this

(Peter Steenbergen) #2

If the certificate contains all the domains mentioned. Then yes it should be possible.

(Prasanth Prasad) #3

Thank you Peter. I will try it and will reply back if see issues.

(Prasanth Prasad) #4

Cluster setup is complete and everything seems to be working except a warning which is shown on the elasticsearch server.

Here are the details of my cluster

  • 5 nodes (4 masters, 1 data)
  • Gold subscription license applied
  • SSL and HTTPS configured (Godaddy)
  • Single certificate with multiple SAN used
  • Testing from browser displays ok (Browser shows certificate is valid)
  • Testing using openssl shows ok (No validation errors)
    [openssl s_client -showcerts -host -port 9200]

Below warning is shown on the elasticsearch server. Interesting factor is that the IP ( shown below is not from my cluster. What is the reason for this warning and how can I avoid this?

Exception at server:

caught exception while handling client http traffic, closing connection [id: 0x6c20770e, L: ! R:/]
io.netty.handler.codec.DecoderException: Received fatal alert: bad_certificate

Caused by: Received fatal alert: bad_certificate

(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.