Cerificate error

I have a single host on which 3 ES node cluster is running using Docker. Out of these 3 nodes, 2 nodes are master-eligible node and one is data node. So the two master-eligible nodes are sharing a common elasticsearch.yml file and data node has different elasticsearch.yml file. So far I have configured the SSL/TLS certificate for the node but I haven’t changed the admin certificate, it is using the default one that is

opendistro_security.authcz.admin_dn:
  - CN=admin,OU=SSL,O=Test,L=Test,C=DE

I am getting this error whenever I start my docker container of ES:

[2019-03-27T11:02:59,622][ERROR][c.a.o.s.t.OpenDistroSecurityRequestHandler] [elsatic-node-1] ElasticsearchException[Illegal parameter in http or transport request found.

This means that one node is trying to connect to another with 

a non-node certificate (no OID or opendistro_security.nodes_dn incorrect configured) or that someone 

is spoofing requests. Check your TLS certificate setup as described in documentation]

How can I resolve this issue?

P.S: Wildcard certificate is being used for configuring the node certificates.

Check Nodes_dn configuration - #3 by Nishant

I have run into this issue also. I found the solution by looking at Search Guards TLS documentation.

You have to either list all the nodes by DN on each server. Or your certificates have to have the same OID key.

searchguard.nodes_dn:
  - 'CN=node.other.com,OU=SSL,O=Test,L=Test,C=DE'
  - 'CN=*.example.com,OU=SSL,O=Test,L=Test,C=DE'
  - 'CN=elk-devcluster*'
  - '/CN=.*regex/'

I ended up using the Search Guard offline TLS Tool.

This let me create a CA all my node certs and admin certs at the same time. I also noticed in its docs an option to set admin certs to also include an admin tag. “admin: true”. This may or may not matter.

2 Likes

I am running into the same issue with self signed certs. Can you please share an example tlsconfig that you used for your cluster ?

1 Like