Nodes_dn configuration

#1

Hi,
My organization is using a wildcard certificate to have SSL configuration everywhere. I have done the SSL configuration of the opendistro-es node using that but I am unable to set parameters for opendistro_security.authcz.admin_dn as it doesn’t allow wildcard certificate as mentioned in the documentation. So currently my ES configuration looks like this:

network.host: 0.0.0.0

node.master: true
node.data: true
discovery.zen.ping.unicast.hosts: ["172.16.0.39","172.16.0.40:9300","172.16.0.41:9300"]

######## Start OpenDistro for Elasticsearch Security Demo Configuration ########
# WARNING: revise all the lines below before you go into production
opendistro_security.ssl.transport.pemcert_filepath: certificate.pem
opendistro_security.ssl.transport.pemkey_filepath: wildcard_key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: intermediate-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: certificate.pem
opendistro_security.ssl.http.pemkey_filepath: wildcard_key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: intermediate-ca.pem
opendistro_security.ssl.http.clientauth_mode: NONE
opendistro_security.allow_unsafe_democertificates: true
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
  - CN=kirk,OU=client,O=client,L=test, C=de

opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
######## End OpenDistro for Elasticsearch Security Demo Configuration ########

I am unable to create a cluster and I am getting these errors:

[2019-03-28T12:26:49,960][ERROR][c.a.o.s.t.OpenDistroSecurityRequestHandler] [elsatic-node-2] ElasticsearchException[Illegal parameter in http or transport request found.
This means that one node is trying to connect to another with 
a non-node certificate (no OID or opendistro_security.nodes_dn incorrect configured) or that someone 
is spoofing requests. Check your TLS certificate setup as described in documentation]

[2019-03-28T12:26:50,763][WARN ][o.e.d.z.UnicastZenPing   ] [elsatic-node-2] [1] failed send ping to {172.16.0.39:9300}{taTx4u7RRDetpGDrtYocEg}{172.16.0.39}{172.16.0.39:9300}
java.lang.IllegalStateException: handshake failed with {172.16.0.39:9300}{taTx4u7RRDetpGDrtYocEg}{172.16.0.39}{172.16.0.39:9300}
	at org.elasticsearch.transport.TransportService.handshake(TransportService.java:444) ~[elasticsearch-6.5.4.jar:6.5.4]
	at org.elasticsearch.transport.TransportService.handshake(TransportService.java:412) ~[elasticsearch-6.5.4.jar:6.5.4]
	at org.elasticsearch.discovery.zen.UnicastZenPing$PingingRound.getOrConnect(UnicastZenPing.java:366) ~[elasticsearch-6.5.4.jar:6.5.4]
	at org.elasticsearch.discovery.zen.UnicastZenPing$3.doRun(UnicastZenPing.java:471) [elasticsearch-6.5.4.jar:6.5.4]
	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:723) [elasticsearch-6.5.4.jar:6.5.4]
	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.5.4.jar:6.5.4]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
	at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: org.elasticsearch.transport.RemoteTransportException: [elsatic-node-1][172.16.0.39:9300][internal:transport/handshake]
Caused by: org.elasticsearch.ElasticsearchException: Illegal parameter in http or transport request found.
This means that one node is trying to connect to another with 
a non-node certificate (no OID or opendistro_security.nodes_dn incorrect configured) or that someone 
is spoofing requests. Check your TLS certificate setup as described in documentation

Please help, thanks in advance

#2

+1
I am also hitting same issue.
It works with default demo certificates, but cannot work with self-signed certs.

#3

I found a little work around for this (maybe a hack).

Logs/metrics are being sent to ES using HTTPS connection and ES nodes cluster communicate with each other using TCP connection. So, I am using our organisation’s certificate to accept all REST request for accumulating logs/metrics and opendistro’s default certificate for all TCP connections. Since I am using docker and swarm(for overlay network) to run my elastic stack, so I have removed the port mapping (9300) from docker-compose and stopped accepting any communication outside of the docker network to 9300 port.

After that I didn’t received any error(mentioned above) and my cluster is healthy.

Cerificate error