But when i'm trying to connect my filebeat to elasticsearch i'm getting the error x509: cannot validate certificate for xx.xx.xx.xxbecause it doesn't contain any IP SANs.
I'm using nginx to reverse proxy to elasticsearch api via the setting below
They are mention in the documentation but i am not able to understand them well. Do i need to copy the .pem and .key from elasticsearch machine and create these file in filebeat machine and then reference them in filebeat.yml file as describe in documentation even then i do not have ca.pem in my elasticmahine.
I guess that curl works there because with the -k option it is not validating certificates.
If you want to have the same behaviour in Filebeat (not recommended for production environments), then you can use the following option, that disables certificates validation.
Regarding the error cannot validate certificate for xx.xx.xx.xxbecause it doesn't contain any IP SANs., it indicates that your server is using a certificate that cannot be validated for IP addresses, but you are using an IP address to connect to it. You would need to do one of these things:
Regenerate the server certificate, including the IP as the alternate name.
Configure filebeat to use one of the names included in the certificate.
In both cases, if you are signing these server certificates, you will need to use output.elasticsearch.ssl.certificate_authorities option to indicate the certificate authority.
The certificate and key options are used for client validation. That doesn't seem to be required in your case.
@jsoriano sorry for disturbing you i looked into the blog you mentioned and it's great and the part which i am confuse is do we have to copy the certificates which generated in one node to all the nodes or do we have to generate the certificate again for each node following the same steps or is there something else?
Yes, you need to copy the certificates for each node. This is explained in step 4.
You have to customize the instance file in step [2-3] to match your deployment (the number of nodes you have, their host names and so on) so you have a pair of certificate and key files (.crt and .key files) for each server.
For clients, like filebeat, you only need the certificate authority file (ca.crt file created in step [2-4].
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.