After Xpack enabled - recieve Logs about Plaintext traffic on encrypted channel

Moritz_Kiesewetter · March 23, 2020, 10:02am

Hello,

so i set up XPack security in my ELK-Cluster ( 3 Hosts - server01(master) server02 & 03 (worker).

I followed the guide provided by elastic - and set up the certficates including my Server01 as CA.
Here's my Config:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /data/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path:  /data/certs/elastic-certificates.p12

The guide said - if i do not specify --Hostname --DNS --IP i could use the same certificate on all nodes - so i used the one which was created on Server01.
Then i copied it to the other nodes and changed the config on all of them as seen above.

If i check the nodes status i get the following response:

curl -X GET -u elastic "X.X.X.X:9200/_cat/nodes/?v"
Enter host password for user 'elastic':
ip          heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
X.X.X.01           12          98   1    0.00    0.01     0.08 ilm       *      server01
X.X.X.02           74          95  56    2.69    2.32     2.18 dil       -      server02
X.X.X.03           15          97   1    0.00    0.01     0.05 dil       -      server03

So i now have to authenticate myself do use the REST API. But if i view the logs on my Elastic Server - i see the following error:

[2020-03-23T00:02:33,700][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [server01] received plaintext traffic on an encrypted channel, closing connection Netty4TcpChannel{localAddress=/X.X.X.01:9300, remoteAddress=/X.X.X.02:50792}
[2020-03-23T00:02:42,754][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [server01] received plaintext traffic on an encrypted channel, closing connection Netty4TcpChannel{localAddress=/X.X.X.01:9300, remoteAddress=/X.X.X.03:35122}

It's the same on the worker-nodes (Server 02 / 03). So it seems my Server02 & Server03 are still trying to communicate via Plaintext and not TLS - i don't know why Server01 doesn't try to do the same - and i don't know what i have to do to get rid of this.

I'm using version 7.6 on Kibana/Elasticsearch/Logstash on all Servers.

Any ideas what i did wrong?

Thanks in advance!

Moritz_Kiesewetter · March 23, 2020, 2:58pm

Solved - a filebeat - service was sending data to the cluster which was not encrypted.

system · April 20, 2020, 2:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Help needed for certificate configuration Elasticsearch	14	950	January 15, 2024
Reusing certs b/w http & transport xpack security settings Elasticsearch elastic-stack-security	3	331	June 19, 2023
Setting up Xpack security - stuck Elasticsearch elastic-stack-security	2	473	April 14, 2020
Problem securing entire stack Elasticsearch elastic-stack-security	14	3192	November 17, 2021
XPACK Security in ELK stack 7.1.1 Elasticsearch elastic-stack-security	11	3371	July 4, 2019

After Xpack enabled - recieve Logs about Plaintext traffic on encrypted channel

Related topics