Nodes_dn: how to update to allow new node to join cluster

https://opendistro.github.io/for-elasticsearch-docs/docs/security/configuration/tls/#configure-node-certificates says that ‘All DNs must be included in elasticsearch.yml on all nodes.’. That makes it pretty challenging to replace the nodes (because you have to modify the elasticsearch.yml on all nodes, and restart the elasticsearch service on each node, in order for it to see the changes).

Can this be done via an API instead? If so, I don’t see it here: https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/api/

The documentation (first link above) says ‘The security plugin supports wildcards and regular expressions’, but I wasn’t able to get a wildcard to work like this:
opendistro_security.nodes_dn:

  • “C=US,ST=Wisconsin,L=Milwaukee,OU=bla,O=blabla,CN=somename*.myprivateinternal.domain”
    Do I need to use a ‘regular expression’ rather than a ‘wildcard’? I’d thought them to be the same, but now I suspect they are not quite.