Security.nodes_dn incorrect configured

Elasticsearch version:

  • 1.9.0-opendistro

Describe the issue:

The Elasticsearch Run with the following nodes_dn in elasticsearch.yml:

opendistro_security.nodes_dn:
- "CN=es-combined-transport,OU=testing,O=db.com,C=BD"

But it fails to run with the following config:

opendistro_security.nodes_dn:
- "CN=es-combined-transport,OU=testing,O=db.com+O=another.com,C=BD"

Error:

[2021-01-22T04:53:41,606][ERROR][c.a.o.s.t.OpenDistroSecurityRequestHandler] [es-combined-2] ElasticsearchException[Illegal parameter in http or transport request found.
This means that one node is trying to connect to another with 
a non-node certificate (no OID or security.nodes_dn incorrect configured) or that someone 
is spoofing requests. Check your TLS certificate setup as described here: See https://opendistro.github.io/for-elasticsearch-docs/docs/troubleshoot/tls/]
[2021-01-22T04:53:42,205][ERROR][c.a.o.s.t.OpenDistroSecurityRequestHandler] [es-combined-2] ElasticsearchException[Illegal parameter in http or transport request found.
This means that one node is trying to connect to another with 
a non-node certificate (no OID or security.nodes_dn incorrect configured) or that someone 
is spoofing requests. Check your TLS certificate setup as described here: See https://opendistro.github.io/for-elasticsearch-docs/docs/troubleshoot/tls/]

My transport certificate:

$ openssl x509 -text -noout -in transport.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0d:43:41:4f:fd:ce:da:48:7b:fa:ce:a3:ad:7a:93:ba
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = elasticsearch, O = kubedb
        Validity
            Not Before: Jan 21 15:22:50 2021 GMT
            Not After : Apr 21 15:22:50 2021 GMT
        Subject: C = BD, O = mydb.com + O = another.com, OU = testing, CN = es-combined-transport

Question:

  • How to write the nodes_dn when Organization(O)/OrganizationUnits(OU)/Countries¬© is a list/array?