DefaultInterClusterRequestEvaluator

[4r7u...@gmail.com]

When asking questions, please provide the following information:

* Search Guard and Elasticsearch version            5.5.1

* Used enterprise modules, if any                          No

* JVM version and operating system version         OpenJDK 1.8.0 144, CentOS 7

* Search Guard configuration files                          Standart

* Elasticsearch log messages on debug level        

Elasticsearch cluster by docker + SG. 2 nodes master + data. Names es-master and es-data.

searchguard.authcz.admin_dn:

  - CN=admin, OU=client, O=client, L=Test, C=DE

searchguard.nodes_dn:

  - CN=es-data.example.com, OU=SSL, O=Test, L=Test, C=DE

  - CN=es-master.example.com, OU=SSL, O=Test, L=Test, C=DE

In ENV

      - searchguard.ssl.transport.enable_openssl_if_available=true   (OpenSSL 1.0.2k-fips + apr.x86_64 1.4.8-3.el7)

      - searchguard.ssl.http.enable_openssl_if_available=true

      - searchguard.ssl.transport.keystore_type=PKCS12

      - searchguard.ssl.transport.keystore_filepath=es-master.p12 (es-data.p12 in es-data node)

      - searchguard.ssl.transport.keystore_password=changeit

      - searchguard.ssl.transport.truststore_type=JKS

      - searchguard.ssl.transport.truststore_filepath=truststore.jks

      - searchguard.ssl.transport.truststore_password=changeit

      - searchguard.ssl.transport.enforce_hostname_verification=false

      - searchguard.ssl.transport.resolve_hostname=false

changes in example.sh (etc/*.conf dont changed)

▎ ./gen_node_cert_openssl.sh "/CN=es-master.example.com/OU=SSL/O=Test/L=Test/C=DE" "es-master.example.com" "es-master" changeit capass

▎ ./gen_node_cert_openssl.sh "/CN=es-data.example.com/OU=SSL/O=Test/L=Test/C=DE" "es-data.example.com" "es-data" changeit capass

When cluster up and changed status from YELLOW to GREEN, es-master node exited with code 0, es-data is working but wait master node.

In TRACE logs i found

elasticsearch1    | [2017-09-20T07:49:20,114][TRACE][c.f.s.t.DefaultInterClusterRequestEvaluator] Treat certificate with principal [CN=es-data.example.com,OU=SSL,O=Test,L=Test,C=DE, CN=es-data.example.com,OU=SSL,O=Test,L=Test,C=DE] NOT as other node because we it does not matches one of [CN=es-data.example.com, OU=SSL, O=Test, L=Test, C=DE, CN=es-master.example.com, OU=SSL, O=Test, L=Test, C=DE]

and

elasticsearch2    | [2017-09-20T07:49:21,160][TRACE][c.f.s.t.DefaultInterClusterRequestEvaluator] Treat certificate with principal [CN=es-master.example.com,OU=SSL,O=Test,L=Test,C=DE, CN=es-master.example.com,OU=SSL,O=Test,L=Test,C=DE] NOT as other node because we it does not matches one of [CN=es-data.example.com, OU=SSL, O=Test, L=Test, C=DE, CN=es-master.example.com, OU=SSL, O=Test, L=Test, C=DE]

why?

ps. sorry for my English

[4r7u...@gmail.com]

elasticsearch1    | Treat certificate with principal [CN=es-data.example.com,OU=SSL,O=Test,L=Test,C=DE, CN=es-data.example.com,OU=SSL,O=Test,L=Test,C=DE] as other node because of it matches one of [CN=*.example.com,OU=SSL,O=Test,L=Test,C=DE]

[SG]

lokk at the whitespaces (the string must match strictly but you can also use a wildcard (*) or regex here)

> Am 20.09.2017 um 14:56 schrieb 4r7u...@gmail.com:
>
> elasticsearch1 | Treat certificate with principal [CN=es-data.example.com,OU=SSL,O=Test,L=Test,C=DE, CN=es-data.example.com,OU=SSL,O=Test,L=Test,C=DE] as other node because of it matches one of [CN=*.example.com,OU=SSL,O=Test,L=Test,C=DE]
>

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/a56cae69-99f0-4a9d-b8c4-12d08f50a363%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.