Before you dig into reading this guide, have you tried asking OpsGPT what this log means? You’ll receive a customized analysis of your log.
Try OpsGPT now for step-by-step guidance and tailored insights into your Elasticsearch operation.
Briefly, this error occurs when Elasticsearch’s SSL/TLS configuration rejects a certificate due to mismatched or untrusted common names (CN). This could be due to incorrect configuration or a self-signed certificate. To resolve this, ensure that the certificate’s CN matches the hostname of the Elasticsearch node. If you’re using a self-signed certificate, make sure it’s added to the truststore of all nodes. Alternatively, consider using a certificate from a trusted Certificate Authority. Also, check your Elasticsearch.yml file for correct SSL/TLS settings.
For a complete solution to your to your search operation, try for free AutoOps for Elasticsearch & OpenSearch . With AutoOps and Opster’s proactive support, you don’t have to worry about your search operation – we take charge of it. Get improved performance & stability with less hardware.
This guide will help you check for common problems that cause the log ” Rejecting certificate [{}] [{}] with common-names [{}] ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.
Log Context
Log “Rejecting certificate [{}] [{}] with common-names [{}]” classname is RestrictedTrustManager.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :
Setnames = readCommonNames(certificate); if (verifyCertificateNames(names)) { logger.debug(() -> new ParameterizedMessage("Trusting certificate [{}] [{}] with common-names [{}]"; certificate.getSubjectDN(); certificate.getSerialNumber().toString(16); names)); } else { logger.info("Rejecting certificate [{}] [{}] with common-names [{}]"; certificate.getSubjectDN(); certificate.getSerialNumber().toString(16); names); throw new CertificateException("Certificate for " + certificate.getSubjectDN() + " with common-names " + names + " does not match the trusted names " + trustRestrictions.getTrustedNames()); }