Nodes_dn: how to update to allow new node to join cluster

TLS Certificates - Open Distro Documentation says that ‘All DNs must be included in elasticsearch.yml on all nodes.’. That makes it pretty challenging to replace the nodes (because you have to modify the elasticsearch.yml on all nodes, and restart the elasticsearch service on each node, in order for it to see the changes).

Can this be done via an API instead? If so, I don’t see it here: API - Open Distro Documentation

The documentation (first link above) says ‘The security plugin supports wildcards and regular expressions’, but I wasn’t able to get a wildcard to work like this:

  • “C=US,ST=Wisconsin,L=Milwaukee,OU=bla,O=blabla,CN=somename*.myprivateinternal.domain”
    Do I need to use a ‘regular expression’ rather than a ‘wildcard’? I’d thought them to be the same, but now I suspect they are not quite.

@jondetert Did you get this working?
If not can you confirm what version of odfe you are using? And also confirm the dn of all node certs.

CN=somename*.myprivateinternal.domain should work assuming dn of the node cert is CN=somename1.myprivateinternal.domain

Yes, it requires a standard regular expression, rather than simply a wildcard. E.g. to match any char, you have to write .* instead of ‘*’.