Nodes_dn: how to update to allow new node to join cluster

jondetert · August 31, 2020, 5:15pm

TLS Certificates - Open Distro Documentation says that ‘All DNs must be included in elasticsearch.yml on all nodes.’. That makes it pretty challenging to replace the nodes (because you have to modify the elasticsearch.yml on all nodes, and restart the elasticsearch service on each node, in order for it to see the changes).

Can this be done via an API instead? If so, I don’t see it here: API - Open Distro Documentation

The documentation (first link above) says ‘The security plugin supports wildcards and regular expressions’, but I wasn’t able to get a wildcard to work like this:
opendistro_security.nodes_dn:

“C=US,ST=Wisconsin,L=Milwaukee,OU=bla,O=blabla,CN=somename*.myprivateinternal.domain”
Do I need to use a ‘regular expression’ rather than a ‘wildcard’? I’d thought them to be the same, but now I suspect they are not quite.

Anthony · April 29, 2021, 2:39pm

@jondetert Did you get this working?
If not can you confirm what version of odfe you are using? And also confirm the dn of all node certs.

CN=somename*.myprivateinternal.domain should work assuming dn of the node cert is CN=somename1.myprivateinternal.domain

jondetert · May 4, 2021, 9:02pm

Yes, it requires a standard regular expression, rather than simply a wildcard. E.g. to match any char, you have to write .* instead of ‘*’.

Topic		Replies	Views
Nodes_dn configuration Open Source Elasticsearch and Kibana	3	3697	August 16, 2019
Opendistro_security.nodes_dn configuration error Security	2	1414	April 15, 2021
Security.nodes_dn incorrect configured Security	1	917	February 7, 2023
OpenDistro Nodes Certificate - OID Security	2	2035	March 10, 2021
Cannot get TLS to work Security	10	9530	December 3, 2019

Nodes_dn: how to update to allow new node to join cluster

Related Topics