Using single certificate which contains multiple SANs


(Prasanth Prasad) #1

Is it possible to use a single certificate (which contains multiple SANs) in all the nodes in 6.3 Elasticsearch cluster? (I want to use xpack.ssl.verification_mode=full)

For example, I have a 5 node cluster and my certificate's Subject Alternative Name looks like this
DNS Name=myesnode1.xxx.com
DNS Name=myesnode2.xxx.com
DNS Name=myesnode3.xxx.com
DNS Name=myesnode4.xxx.com
DNS Name=myesnode5.xxx.com


(Peter Steenbergen) #2

If the certificate contains all the domains mentioned. Then yes it should be possible.


(Prasanth Prasad) #3

Thank you Peter. I will try it and will reply back if see issues.


(Prasanth Prasad) #4

Cluster setup is complete and everything seems to be working except a warning which is shown on the elasticsearch server.

Here are the details of my cluster

  • 5 nodes (4 masters, 1 data)
  • Gold subscription license applied
  • SSL and HTTPS configured (Godaddy)
  • Single certificate with multiple SAN used
  • Testing from browser displays ok (Browser shows certificate is valid)
  • Testing using openssl shows ok (No validation errors)
    [openssl s_client -showcerts -host mynode1.xxx.com -port 9200]

Below warning is shown on the elasticsearch server. Interesting factor is that the IP (10.10.171.205) shown below is not from my cluster. What is the reason for this warning and how can I avoid this?

Exception at server:

caught exception while handling client http traffic, closing connection [id: 0x6c20770e, L:0.0.0.0/0.0.0.0:9200 ! R:/10.10.171.205:63966]
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: bad_certificate

Caused by: javax.net.ssl.SSLException: Received fatal alert: bad_certificate


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.