Similarly to OpenSearch/ElasticSearch's security plugins, I'd like an option to disable SSL Hostname verification to work around this issue.
Expected Behavior
An optional config setting to disable hostname verification, so nodes can communicate via TLS without IP SANs in the certificate.
Current Behavior
2024-06-28 05:00:11,703 WARN [ProxiedResource] - Failed to call API on node <b5a3fb12-bea2-4c89-8a17-5bdc2471e919>, cause: Hostname 10.42.7.19 not verified:
certificate: sha256/...
DN:
subjectAltNames: [graylog.cluster.local] (duration: 186 ms) - {}
Possible Solution
An additional optional config setting, that when enabled, configures OkHttpClient with a HostnameVerifier that does not verify the IP SANs of the TLS certificate.
Context
I'm running Graylog in kubernetes with the helm chart
and I'd like to use TLS, but when making API calls between nodes, the calls fail due to the way my certs are setup.
I'm using cert-manager to provision certificates, and because these pods are running in kubernetes, I can't assign IP SANs to the certificates, since the node IPs change. The Helm chart sets node communication via the IPs.
Similarly to OpenSearch/ElasticSearch's security plugins, I'd like an option to disable SSL Hostname verification to work around this issue.
Expected Behavior
An optional config setting to disable hostname verification, so nodes can communicate via TLS without IP SANs in the certificate.
Current Behavior
Possible Solution
An additional optional config setting, that when enabled, configures OkHttpClient with a HostnameVerifier that does not verify the IP SANs of the TLS certificate.
Context
I'm running Graylog in kubernetes with the helm chart and I'd like to use TLS, but when making API calls between nodes, the calls fail due to the way my certs are setup.
I'm using cert-manager to provision certificates, and because these pods are running in kubernetes, I can't assign IP SANs to the certificates, since the node IPs change. The Helm chart sets node communication via the IPs.
Your Environment