Receiver nodes does not get an updated certificate after adding custom fqdn to fleet configuration

[mikkelotharholm]

Version

2.4.170

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

64G

Storage for /nsm

128G

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Setup:
1 manager node
1 fleet node
2 receiver nodes

The 2 receiver nodes are meant for external access for elastic agents.

When we provide a fqdn in the GUI with advanced settings enabled - Administration -> Configuration -> elasticfleet -> config -> server -> custom_fqdn

the fleet node and the manager node are getting updated certificates in /etc/pki/elasticfleet-logstash.crt and /etc/pki/elasticfleet-logstash.key but the receiver nodes does not get any updated certificates.

Have i missed anything regarding receiver nodes?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

https://docs.securityonion.net/en/2.4/hostname.html#hostname Certificates are generated based on hostnames.

[defensivedepth]

To clarify a couple things:

• For Fleet, agents need to access both the control & data (ie log ingest) planes. The Receiver nodes only offer data (logstash). You will still need the Fleet node accessible to external endpoints. The Fleet node provides both control & data.

• Have you restarted Logstash on the receiver node? (sudo so-logstash-restart) it should regen the certs after a restart.

[mikkelotharholm]

1. Yes, the fleet server is accessible to clients on port 8220. The receiver nodes (logstash) are accessible on port 5055.
2. Yes, the logstash have been restarted and i have tried to run salt 'receivernode' state.sls ssl with no luck.

When i check the fleet node in /etc/pki/ i can see that the elasticfleet-logstash.crt is created correctly with the custom fqdn as a DNS in Subject Alternative Name.

openssl x509 -in /etc/pki/elasticfleet-logstash.crt -text -noout -dates

The same command on the receiver nodes does not show the custom fqdn as DNS in Subject Alternative Name.

[defensivedepth]

@mikkelotharholm This is a bug and has been fixed: #15022

Will be included in our next release.

[mikkelothar]

That sounds good. Thank you :)