X509: cannot validate certificate for xx.xx.xx.xxbecause it doesn't contain any IP SANs

I am able to curl my elasticsearch API successfully

curl -k --verbose https://username:password@x.x.x.x:9900

But when i'm trying to connect my filebeat to elasticsearch i'm getting the error x509: cannot validate certificate for xx.xx.xx.xxbecause it doesn't contain any IP SANs.

I'm using nginx to reverse proxy to elasticsearch api via the setting below

server {
    listen 9900 default_server;
    listen            [::]:9900;
    ssl on;
    ssl_certificate /etc/pki/tls/certs/elastic-access.pem;
    ssl_certificate_key /etc/pki/tls/private/elastic-access.key;
    access_log            /var/log/nginx/nginx.access.log;
    error_log            /var/log/nginx/nginx.error.log;
    location / {
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
        proxy_pass http://x.x.x.x:9200/;
    }
}

i don't know much about ssl.
Below are the setting i am using in my filebeat.yml file

output.elasticsearch.hosts: ['https://x.x.x.x:9900']
output.elasticsearch.username: username
output.elasticsearch.password: password

There are few options for ssl written in the documentation but i m confuse

output.elasticsearch.ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
output.elasticsearch.ssl.certificate: "/etc/pki/client/cert.pem"
output.elasticsearch.ssl.key: "/etc/pki/client/cert.key"

They are mention in the documentation but i am not able to understand them well. Do i need to copy the .pem and .key from elasticsearch machine and create these file in filebeat machine and then reference them in filebeat.yml file as describe in documentation even then i do not have ca.pem in my elasticmahine.

Hey @Daud_Ahmed,

I guess that curl works there because with the -k option it is not validating certificates.

If you want to have the same behaviour in Filebeat (not recommended for production environments), then you can use the following option, that disables certificates validation.

output.elasticsearch.ssl.verification_mode: 'none'

Regarding the error cannot validate certificate for xx.xx.xx.xxbecause it doesn't contain any IP SANs., it indicates that your server is using a certificate that cannot be validated for IP addresses, but you are using an IP address to connect to it. You would need to do one of these things:

  • Regenerate the server certificate, including the IP as the alternate name.
  • Configure filebeat to use one of the names included in the certificate.

In both cases, if you are signing these server certificates, you will need to use output.elasticsearch.ssl.certificate_authorities option to indicate the certificate authority.

The certificate and key options are used for client validation. That doesn't seem to be required in your case.

Btw, there is a blogpost that may help you: https://www.elastic.co/blog/configuring-ssl-tls-and-https-to-secure-elasticsearch-kibana-beats-and-logstash

@jsoriano thanks means alot.

1 Like

@jsoriano sorry for disturbing you i looked into the blog you mentioned and it's great and the part which i am confuse is do we have to copy the certificates which generated in one node to all the nodes or do we have to generate the certificate again for each node following the same steps or is there something else?

Yes, you need to copy the certificates for each node. This is explained in step 4.

You have to customize the instance file in step [2-3] to match your deployment (the number of nodes you have, their host names and so on) so you have a pair of certificate and key files (.crt and .key files) for each server.

For clients, like filebeat, you only need the certificate authority file (ca.crt file created in step [2-4].

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.