Hi
I just would like to comment that was difficult to me to set plugins.security.ssl.transport.enforce_hostname_verification: true
using the current documentation. First my initial master node logs was showing SSL Problem Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
which wasn’t very helpful to debug.
The other node was showing logs complaining about No subject alternative names
, which helped me a little bit. In the end the problem was that my self-signed certificates for nodes, didn’t have SAN
, but in order yo have it, I had to have a openssl.conf
whith the following content:
[req]
distinguished_name = dn
req_extensions = v3_req
prompt = no
[dn]
C="CA"
ST="ONTARIO"
L="TORONTO"
O="Canonical"
OU="Data Platform"
CN=<fqdn>
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP =<IP>
DNS.1 = <fqdn>
DNS.2 =<hostname>
And then run the command:
openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 730 -extfile openssl.conf -extensions v3_req
After this, I was able to check that SAN was present in the certificate by running:
openssl x509 -noout -ext subjectAltName -in node1.pem
Without using this v3
, SAN it’s not available in the certs.
I didn’t find anywhere in the documentation things that would help me solve this. The troubleshoot regarding Check SAN hostnames and IP addresses it’s not clear to me what are the commands necessary to get the information. I also had problems using keytool -list -v -keystore keystore.jks
. It seems this doesn’t work out of the box. Maybe, it’s my lack of experience with TLS, Java and OpenSearch, but definitely having some more tips in the documentation will help a lot future travelers.