When asking questions, please provide the following information:
* Search Guard and Elasticsearch version 5.5.1
* Used enterprise modules, if any No
* JVM version and operating system version OpenJDK 1.8.0 144, CentOS 7
* Search Guard configuration files Standart
* Elasticsearch log messages on debug level
Elasticsearch cluster by docker + SG. 2 nodes master + data. Names es-master and es-data.
searchguard.authcz.admin_dn:
- CN=admin, OU=client, O=client, L=Test, C=DE
searchguard.nodes_dn:
In ENV
- searchguard.ssl.transport.enable_openssl_if_available=true (OpenSSL 1.0.2k-fips + apr.x86_64 1.4.8-3.el7)
- searchguard.ssl.http.enable_openssl_if_available=true
- searchguard.ssl.transport.keystore_type=PKCS12
- searchguard.ssl.transport.keystore_filepath=es-master.p12 (es-data.p12 in es-data node)
- searchguard.ssl.transport.keystore_password=changeit
- searchguard.ssl.transport.truststore_type=JKS
- searchguard.ssl.transport.truststore_filepath=truststore.jks
- searchguard.ssl.transport.truststore_password=changeit
- searchguard.ssl.transport.enforce_hostname_verification=false
- searchguard.ssl.transport.resolve_hostname=false
changes in example.sh (etc/*.conf dont changed)
When cluster up and changed status from YELLOW to GREEN, es-master node exited with code 0, es-data is working but wait master node.
In TRACE logs i found
elasticsearch1 | [2017-09-20T07:49:20,114][TRACE][c.f.s.t.DefaultInterClusterRequestEvaluator] Treat certificate with principal [CN=
es-data.example.com,OU=SSL,O=Test,L=Test,C=DE, CN=
es-data.example.com,OU=SSL,O=Test,L=Test,C=DE] NOT as other node because we it does not matches one of [CN=
es-data.example.com, OU=SSL, O=Test, L=Test, C=DE, CN=
es-master.example.com, OU=SSL, O=Test, L=Test, C=DE]
and
elasticsearch2 | [2017-09-20T07:49:21,160][TRACE][c.f.s.t.DefaultInterClusterRequestEvaluator] Treat certificate with principal [CN=
es-master.example.com,OU=SSL,O=Test,L=Test,C=DE, CN=
es-master.example.com,OU=SSL,O=Test,L=Test,C=DE] NOT as other node because we it does not matches one of [CN=
es-data.example.com, OU=SSL, O=Test, L=Test, C=DE, CN=
es-master.example.com, OU=SSL, O=Test, L=Test, C=DE]
why?
ps. sorry for my English