Rejecting certificate with common-names – How to solve this Elasticsearch error

Opster Team

Aug-23, Version: 6.8-7.15

Briefly, this error occurs when Elasticsearch’s SSL/TLS configuration rejects a certificate due to mismatched or untrusted common names (CN). This could be due to incorrect configuration or a self-signed certificate. To resolve this, ensure that the certificate’s CN matches the hostname of the Elasticsearch node. If you’re using a self-signed certificate, make sure it’s added to the truststore of all nodes. Alternatively, consider using a certificate from a trusted Certificate Authority. Also, check your Elasticsearch.yml file for correct SSL/TLS settings.

This guide will help you check for common problems that cause the log ” Rejecting certificate [{}] [{}] with common-names [{}] ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.

Log Context

Log “Rejecting certificate [{}] [{}] with common-names [{}]” classname is RestrictedTrustManager.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :

        Set names = readCommonNames(certificate);
        if (verifyCertificateNames(names)) {
            logger.debug(() -> new ParameterizedMessage("Trusting certificate [{}] [{}] with common-names [{}]";
                    certificate.getSubjectDN(); certificate.getSerialNumber().toString(16); names));
        } else {
            logger.info("Rejecting certificate [{}] [{}] with common-names [{}]";
                    certificate.getSubjectDN(); certificate.getSerialNumber().toString(16); names);
            throw new CertificateException("Certificate for " + certificate.getSubjectDN() +
                    " with common-names " + names
                    + " does not match the trusted names " + trustRestrictions.getTrustedNames());
        }

 

How helpful was this guide?

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?