Calling Elastic search from remote server via https

This works fine on local machine
curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic: https://localhost:9200

This does not work remotely
curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic: https://server.name.com:9200

The server won't start here is the configuration.

# ======================== Elasticsearch Configuration =========================
#
path.data: /var/lib/elasticsearch
#
path.logs: /var/log/elasticsearch
#
action.auto_create_index: ".ent-search-*-logs-*,-.ent-search-*,+*"
#
network.host: server.name.com
#
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.authc.api_key.enabled: true
xpack.security.http.ssl.enabled: true
#
# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
 enabled: true
 keystore.path: /etc/elasticsearch/certs/http.p12
#
# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
 enabled: true
 verification_mode: certificate
 keystore.path: /etc/elasticsearch/certs/transport.p12
 truststore.path: /etc/elasticsearch/certs/transport.p12
#
#----------------------- END SECURITY AUTO CONFIGURATION -------------------------

This is the error message.

[2023-04-18T16:26:04,842][INFO ][o.e.p.PluginsService     ] [rofccs901a] loaded module [x-pack-text-structure]
[2023-04-18T16:26:04,842][INFO ][o.e.p.PluginsService     ] [rofccs901a] loaded module [x-pack-voting-only-node]
[2023-04-18T16:26:04,842][INFO ][o.e.p.PluginsService     ] [rofccs901a] loaded module [x-pack-watcher]
[2023-04-18T16:26:04,842][INFO ][o.e.p.PluginsService     ] [rofccs901a] loaded module [x-pack-write-load-forecaster]
[2023-04-18T16:26:04,842][INFO ][o.e.p.PluginsService     ] [rofccs901a] no plugins loaded
[2023-04-18T16:26:07,529][INFO ][o.e.e.NodeEnvironment    ] [rofccs901a] using [1] data paths, mounts [[/var (/dev/mapper/vg_system-lv_var)]], net usable_space [6.5gb], net total_space [9.7gb], types [ext4]
[2023-04-18T16:26:07,529][INFO ][o.e.e.NodeEnvironment    ] [rofccs901a] heap size [7.7gb], compressed ordinary object pointers [true]
[2023-04-18T16:26:07,693][INFO ][o.e.n.Node               ] [rofccs901a] node name [rofccs901a], node ID [Hdt100ybQqeo8xCaJLjnOQ], cluster name [elasticsearch], roles [ingest, data_frozen, ml, data_hot, transform, data_content, data_warm, master, remote_cluster_client, data, data_cold]
[2023-04-18T16:26:10,794][INFO ][o.e.x.s.Security         ] [rofccs901a] Security is enabled
[2023-04-18T16:26:11,030][INFO ][o.e.x.s.a.s.FileRolesStore] [rofccs901a] parsed [0] roles from file [/etc/elasticsearch/roles.yml]
[2023-04-18T16:26:11,407][INFO ][o.e.x.s.InitialNodeSecurityAutoConfiguration] [rofccs901a] Auto-configuration will not generate a password for the elastic built-in superuser, as we cannot  determine if there is a terminal attached to the elasticsearch process. You can use the `bin/elasticsearch-reset-password` tool to set the password for the elastic user.
[2023-04-18T16:26:11,484][INFO ][o.e.x.m.p.l.CppLogMessageHandler] [rofccs901a] [controller/28992] [Main.cc@123] controller (64 bit): Version 8.6.2 (Build 0d41528b670ce1) Copyright (c) 2023 Elasticsearch BV
[2023-04-18T16:26:12,057][INFO ][o.e.t.n.NettyAllocator   ] [rofccs901a] creating NettyAllocator with the following configs: [name=elasticsearch_configured, chunk_size=1mb, suggested_max_allocation_size=1mb, factors={es.unsafe.use_netty_default_chunk_and_page_size=false, g1gc_enabled=true, g1gc_region_size=4mb}]
[2023-04-18T16:26:12,087][INFO ][o.e.i.r.RecoverySettings ] [rofccs901a] using rate limit [40mb] with [default=40mb, read=0b, write=0b, max=0b                                           ]
[2023-04-18T16:26:12,135][INFO ][o.e.d.DiscoveryModule    ] [rofccs901a] using discovery type [multi-node] and seed hosts providers [settings]
[2023-04-18T16:26:13,456][INFO ][o.e.n.Node               ] [rofccs901a] initialized
[2023-04-18T16:26:13,457][INFO ][o.e.n.Node               ] [rofccs901a] starting ...
[2023-04-18T16:26:13,475][INFO ][o.e.x.s.c.f.PersistentCache] [rofccs901a] persistent cache index loaded
[2023-04-18T16:26:13,476][INFO ][o.e.x.d.l.DeprecationIndexingComponent] [rofccs901a] deprecation component started
[2023-04-18T16:26:13,562][INFO ][o.e.t.TransportService   ] [rofccs901a] publish_address {rofccs901a.mayo.edu/10.146.73.221:9300}, bound_addresses {10.146.73.221:9300}
[2023-04-18T16:26:14,332][INFO ][o.e.b.BootstrapChecks    ] [rofccs901a] bound or publishing to a non-loopback address, enforcing bootstrap checks
[2023-04-18T16:26:14,355][INFO ][o.e.n.Node               ] [rofccs901a] stopping ...
[2023-04-18T16:26:14,406][INFO ][o.e.n.Node               ] [rofccs901a] stopped
[2023-04-18T16:26:14,406][INFO ][o.e.n.Node               ] [rofccs901a] closing ...
[2023-04-18T16:26:14,424][INFO ][o.e.n.Node               ] [rofccs901a] closed
[2023-04-18T16:26:14,426][INFO ][o.e.x.m.p.NativeController] [rofccs901a] Native controller process has stopped - no new native processes can be started

There is no error there, and from what I can see Elasticsearch is starting up and running fine until something asks it to shutdown.

Actually I don't think so. The http REST layer does not start. Only the Transport Layer started:

publish_address {rofccs901a.mayo.edu/10.146.73.221:9300}, bound_addresses {10.146.73.221:9300}

But indeed there is no error message which looks wrong...

Yep you're right, I missed that part. But it's still starting up before it's asked to shutdown.

Is there anything in the configuration missing?
Also role.yml is empty should there be something in there?

What could possible ask it to shut down? Permissions issue?

There's no errors in your logs, so no.

From systemd journal

-- Subject: Unit elasticsearch.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit elasticsearch.service has begun starting up.
Apr 18 17:48:26 rofccs901a systemd-entrypoint[116624]: bootstrap check failure [1] of [1]: the default discovery settings are unsuitable for production use; at least one of [discovery.see
Apr 18 17:48:26 rofccs901a systemd-entrypoint[116624]: ERROR: Elasticsearch did not exit normally - check the logs at /var/log/elasticsearch/elasticsearch.log
Apr 18 17:48:28 rofccs901a systemd-entrypoint[116624]: ERROR: [1] bootstrap checks failed. You must address the points described in the following [1] lines before starting Elasticsearch.
Apr 18 17:48:28 rofccs901a systemd[1]: elasticsearch.service: main process exited, code=exited, status=78/n/a
Apr 18 17:48:28 rofccs901a systemd[1]: Failed to start Elasticsearch.
-- Subject: Unit elasticsearch.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit elasticsearch.service has failed.
--
-- The result is failed.

If I remove this from the elastic.yml file then Elasticsearch starts fine but then I can't do a remote curl.

network.host: server.name.com

Could you try with the ip address instead of the name?

ok, I did change it to IP address and get then same error message. But this time I noticed this error message

systemd-entrypoint[72712]: bootstrap check failure [1] of [1]: the default discovery settings are unsuitable for production use; at least one of [discovery.seed_hosts, discovery.seed_providers, cluster.initial_master_nodes] must be configured

This is the first time I am starting Elastic search with the network.host set. This is a single instance of Elastic Search and I am not setting up a cluster.
Is this my issue? What yml settings should I add? Thanks

Is there verbose logging that could be done.

It sounds like you want to set the node into single-node discovery:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.