Elasticsearch Shield SSL using single signed certificate for domain

radap · February 22, 2016, 3:02pm

I`m using Elasticsearch 2.2.0 with shield 2.2. The cluster has a 100 nodes on different servers in AWS environment under one domain:

es1.test.domainname.com
es2.test.domainname.com
es3.test.domainname.com
es4.test.domainname.com
es5.test.domainname.com
es6.test.domainname.com
...
es99.test.domainname.com
es100.test.domainname.com

I want to enable ssl in Shield and for that I need to issue a signed certificate as I already described in other question. The problem here is that for each new elastic node I would need to issue new signed certificate so the node could join the ssl protected cluster… Right now I have already “spent” all of my weekly subdomains requests.

Is it possible to sign only one certificate for test.domainname.com and copy it to all the other nodes (different servers same domain)?

cool110 · February 22, 2016, 5:59pm

Yes, you can have up to 100 SANs on a single cert, you only need multiple certs if you have more than that.

radap · February 24, 2016, 11:40am

@cool110 - It didn't work. I tried to sign csr for test.domainname.com and got :

Failed authorization procedure. test.domainname.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for test.domainname.com

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: test.domainname.com
Type: connection
Detail: DNS problem: NXDOMAIN looking up A for test.domainname.com

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

I tried to do so from es1.test.domainname.com (C name by GoDaddy)
Why it is failing?

cool110 · February 24, 2016, 11:57am

Don’t put test.domainname.com in the CSR, all 100 subdomains need to be in there. You should get es1.test.domainname.com as the common name but with all the other ones in the alternative names.

radap · February 24, 2016, 12:06pm

but it is not going to work…
say I signed 30 Elasticsearch domains - es1.test.domainname.com as the common name and all the others es2-30 in the alternative names. Ok, but tomorrow I will need to add one more server to the cluster - es31.test.domainname.com- I will need to make another certificate that includes the new server and replace in each elastic server the installed certificate with this new one == nightmare.

Is there a way to sign general domain certificate that I can copy to the sub domain servers?

cool110 · February 24, 2016, 12:12pm

No, the best way would be to have the unused subdomains pointing at a node that is running or to have all 100 running when issuing (and renewing).

radap · February 24, 2016, 12:53pm

Ok, got it.

The last thing I couldn’t get right is how to make a csr with alternative names…
I tried:

> sudo keytool -importcert -keystore node.jks -file /home/ubuntu/letsencrypt/public_pem/isrgrootx1.pem -alias letsencrypt
> sudo keytool -genkey -alias node -keystore node.jks -keyalg RSA -keysize 2048 -validity 712 -ext san=dns:es1.test.domainname.com
> sudo keytool -certreq -alias node -keystore node.jks -file node.csr -keyalg rsa -ext san=dns:es1.test.domainname.com
> sudo openssl req -outform der -in node.csr -out node.der
> ./letsencrypt-auto auth --csr /etc/elasticsearch/shield/node.der

Where do I set alternative names?

cool110 · February 24, 2016, 1:11pm

Change that to a comma separated list with each name prefixed with dns: