Elasticsearch: Java client sniffing error with X-Pack and TLS: javax.net.ssl.SSLPeerUnverifiedException

Elasticsearch 5.5.1

For sniffing, the Java client calls _nodes/http to fetch the value of public_address. It works when TLS is not enabled. However, this can break connectivity to Elasticsearch if TLS is enabled with X-Pack and the node certificate does not include a SAN (subjectAltName) having the IP address value of public_address.

2017-08-07 14:05:21,992 ERROR o.e.c.s.Sniffer [pool-3-thread-1] [Host- host-ui-rest] error while sniffing nodes javax.net.ssl.SSLPeerUnverifiedException: Host name '10.0.0.1' does not match the certificate subject provided by the peer ([email protected], CN=datanodehostname
at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:208) 
at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy$1.verify(SSLIOSessionStrategy.java:188) 
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:368) 
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509) 
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120) 
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) 
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) 
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) 
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) 

• Can Nodes Info return the publish_host with _nodes/http?
  
  
  
  • If so, can the Java client be configured to read it when using HTTPS scheme?
  
  
• Or, should the Java client sniff _nodes/settings to fetch network.publish_host instead?

Is there another solution that does not include requesting a certificate with the node IP address in the SAN?

/cc @Dinomoe