After Xpack enabled - recieve Logs about Plaintext traffic on encrypted channel

Moritz_Kiesewetter · March 23, 2020, 10:02am

Hello,

so i set up XPack security in my ELK-Cluster ( 3 Hosts - server01(master) server02 & 03 (worker).

I followed the guide provided by elastic - and set up the certficates including my Server01 as CA.
Here's my Config:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /data/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path:  /data/certs/elastic-certificates.p12

The guide said - if i do not specify --Hostname --DNS --IP i could use the same certificate on all nodes - so i used the one which was created on Server01.
Then i copied it to the other nodes and changed the config on all of them as seen above.

If i check the nodes status i get the following response:

curl -X GET -u elastic "X.X.X.X:9200/_cat/nodes/?v"
Enter host password for user 'elastic':
ip          heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
X.X.X.01           12          98   1    0.00    0.01     0.08 ilm       *      server01
X.X.X.02           74          95  56    2.69    2.32     2.18 dil       -      server02
X.X.X.03           15          97   1    0.00    0.01     0.05 dil       -      server03

So i now have to authenticate myself do use the REST API. But if i view the logs on my Elastic Server - i see the following error:

[2020-03-23T00:02:33,700][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [server01] received plaintext traffic on an encrypted channel, closing connection Netty4TcpChannel{localAddress=/X.X.X.01:9300, remoteAddress=/X.X.X.02:50792}
[2020-03-23T00:02:42,754][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [server01] received plaintext traffic on an encrypted channel, closing connection Netty4TcpChannel{localAddress=/X.X.X.01:9300, remoteAddress=/X.X.X.03:35122}

It's the same on the worker-nodes (Server 02 / 03). So it seems my Server02 & Server03 are still trying to communicate via Plaintext and not TLS - i don't know why Server01 doesn't try to do the same - and i don't know what i have to do to get rid of this.

I'm using version 7.6 on Kibana/Elasticsearch/Logstash on all Servers.

Any ideas what i did wrong?

Thanks in advance!

Moritz_Kiesewetter · March 23, 2020, 2:58pm

Solved - a filebeat - service was sending data to the cluster which was not encrypted.

system · April 20, 2020, 2:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.