Certificate mismatch error #3182
Description
Hi
I have now spent some time to try and resolve this. Can someone please help t resolve this:
I am installing the indexer, dashboard and server on 3 different machines. On the indexer instructions I get to the /usr/share/wazuh-indexer/bin/indexer-security-init.sh step and it hangs here:
Security Admin v7
Will connect to offpiwzi091.internal.yospace.com:9200 ... done
Connected as "CN=admin,OU=Systems,O=ORG NAME LTD,L=Town-We-Are-In,C=GB"
OpenSearch Version: 2.19.1
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Cannot retrieve cluster state due to: 30,000 milliseconds timeout on connection http-outgoing-2 [ACTIVE]. This is not an error, will keep on trying ...
Root cause: java.net.SocketTimeoutException: 30,000 milliseconds timeout on connection http-outgoing-2 [ACTIVE] (java.net.SocketTimeoutException/java.net.SocketTimeoutException)
- Try running securityadmin.sh with -icl (but no -cn) and -nhnv (If that works you need to check your clustername as well as hostnames in your TLS certificates)
- Make sure that your keystore or PEM certificate is a client certificate (not a node certificate) and configured properly in opensearch.yml
- If this is not working, try running securityadmin.sh with --diagnose and see diagnose trace log file)
- Add --accept-red-cluster to allow securityadmin to operate on a red cluster.
If I then run:
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -icl -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h $(hostname)
I get:
Security Admin v7
Will connect to offpiwzi091.internal.yospace.com:9200 ... done
ERR: An unexpected IOException occured: Host name 'offpiwzi091.internal.yospace.com' does not match the certificate subject provided by the peer (CN=indexer.domain.com,OU=Systems,O=ORG NAME LTD,L=Town-We-Are-In,C=GB)
Trace:
java.io.IOException: Host name 'indexer.domain.com' does not match the certificate subject provided by the peer (CN=indexer.domain.com,OU=Systems,O=ORG NAME LTD,L=Town-We-Are-In,C=GB)
at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:1252)
at org.opensearch.client.RestClient.performRequest(RestClient.java:358)
at org.opensearch.client.RestClient.performRequest(RestClient.java:346)
at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:575)
at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:165)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'indexer.domain.com' does not match the certificate subject provided by the peer (CN=indexer.domain.com,OU=Systems,O=ORG NAME LTD,L=Town-We-Are-In,C=GB)
at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:217)
at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy$1.verify(SSLIOSessionStrategy.java:197)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:373)
at org.apache.http.nio.reactor.ssl.SSLIOSession.outboundTransport(SSLIOSession.java:594)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.outputReady(AbstractIODispatch.java:154)
at org.apache.http.impl.nio.reactor.BaseIOReactor.writable(BaseIOReactor.java:187)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:341)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591)
at java.base/java.lang.Thread.run(Thread.java:1447)
I understand what the problem is, but how do I fix it?
Thank you in advance for the help.
Kobus