martinb3
commented
9 years ago Perhaps we can use the chef node certificate, per https://github.com/elasticsearch/logstash-forwarder/issues/221#issuecomment-59291048. I still don't like the idea that CN must equal hostname when we are using x509 for transport encryption, not necessarily PKI.
see https://github.com/elasticsearch/logstash-forwarder/issues/221 for reference.
Since go 1.3+ tls requires proper CN hostnames, or if using IPs to connect to logstash server you need to add the IP as a subjectAlternativeName.
We will need to generate certificates per forwarder node to fix this. We could maybe leverage this https://github.com/elasticsearch/logstash-forwarder/issues/221#issuecomment-48823952
I tried this https://github.com/elasticsearch/logstash-forwarder/issues/221#issuecomment-48823952 but still had problems, I think it may only work with go 1.2 and below.