Briefly, this error occurs when Elasticsearch’s SSL/TLS configuration rejects a certificate due to mismatched or untrusted common names (CN). This could be due to incorrect configuration or a self-signed certificate. To resolve this, ensure that the certificate’s CN matches the hostname of the Elasticsearch node. If you’re using a self-signed certificate, make sure it’s added to the truststore of all nodes. Alternatively, consider using a certificate from a trusted Certificate Authority. Also, check your Elasticsearch.yml file for correct SSL/TLS settings.
This guide will help you check for common problems that cause the log ” Rejecting certificate [{}] [{}] with common-names [{}] ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.
Log Context
Log “Rejecting certificate [{}] [{}] with common-names [{}]” classname is RestrictedTrustManager.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :
Setnames = readCommonNames(certificate); if (verifyCertificateNames(names)) { logger.debug(() -> new ParameterizedMessage("Trusting certificate [{}] [{}] with common-names [{}]"; certificate.getSubjectDN(); certificate.getSerialNumber().toString(16); names)); } else { logger.info("Rejecting certificate [{}] [{}] with common-names [{}]"; certificate.getSubjectDN(); certificate.getSerialNumber().toString(16); names); throw new CertificateException("Certificate for " + certificate.getSubjectDN() + " with common-names " + names + " does not match the trusted names " + trustRestrictions.getTrustedNames()); }
