SSL Woes with OpenDistro on Docker

Hello all,

I am setting up an OpenDistro cluster with Docker.

My organization utilizes a single cert across all our VM’s of the form *.domainname.com. I am trying to use this cert and our CA for Elasticsearch transport / rest ssl encryption, kibana to elasticsearch encrypted, and logstash to elastic encrypted.

Because we only have this one cert, I am using self-signed certs for the admin certs.

The problem occurs when I try to enable hostname verification, which for us is a crucial security step.

My SSL config on elasticsearch.yml:

opendistro_security.ssl.transport.pemcert_filepath: ‘*.domainname.com.crt’
opendistro_security.ssl.transport.pemkey_filepath: ‘*.domainname.com.key’
opendistro_security.ssl.transport.pemtrustedcas_filepath: ‘CAChain.pem’
opendistro_security.ssl.transport.enforce_hostname_verification: true
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: ‘*.domainname.com.crt’
opendistro_security.ssl.http.pemkey_filepath: ‘*.dommainname.com.key’
opendistro_security.ssl.http.pemtrustedcas_filepath: ‘CAChain.pem’

I’ve also confirmed that the admin and node dn’s are correct, though I won’t be posting them here for security.

The same general setup is consistent across other parts of the stack: if I disable hostname verification the stack runs without an issue, if I enable it, Kibana / Logstash report that Elasticsearch is dead, and the Elastic nodes say they can’t verify their hostname on the transport layer.

Any insight would be appreciated.

1 Like

Hey lmurph,

I’ve had a similiar problem. After some reasearch i found out that when the endpoints inside the docker containers try to verify the hostnames they use the containers’ ip addresses instead of their actual hostnames.

I didn’t have the time yet to look further into this. If you found a solution or any more info on that could you please give an update?

Glad to know I’m not the only one! Haha.

In the short term I won’t have time to look into this as well. For now I’m transitioning this deployment to bare metal, which is showing a lot more promise so far. I’ll be looking at it again eventually and update this thread. Feel free to do the same if you have time to look into it as well.

I did come across a quick bit of info. If you define a custom network, Docker should switch from using IP’s to hostnames: Use bridge networks | Docker Documentation

However I’ve had a custom network from the beginning and it hasn’t worked thus far.

Kibana to Elastic and Logstash to Elastic is working much better on bare metal vs Docker. However I continue to have hostname verification issues on Elasticsearch on the transport layer. Wonder if it’s an issue with the wildcard?

Encountering the same issue : getting a java.security.cert.CertificateException: No subject alternative names matching IP address error due to Docker containers having always a different IP.

My solution was to add the following line to elasticsearch.yml :

opendistro_security.ssl.transport.enforce_hostname_verification: false

@lmurph It seems to do with wildcard indeed, did you specifying the full cert name?