Certificate error

shrikar18 · December 11, 2023, 6:43am

hi team,
i brought an elastic stack on my kubernetes cluster using the guide
elasticsearch on kubernetes
but iam not able access the curl command using this
curl --cacert ca.crt -u elastic:password https://localhost:9200
but without using the certificate iam getting the expected result

also i have generated a new ca using
/usr/share/elasticsearch/bin/elasticsearch-certutil ca --pem

now i get a zip file after unzipping i get ca/ca.crt ca/ca.key ca/ca.p12

/usr/share/elasticsearch/bin/elasticsearch-certutil cert --silent --in /etc/elasticsearch/certs/instances.yml --ca-cert /usr/share/elasticsearch/ca/ca.crt --ca-key /usr/share/elasticsearch/ca/ca.key

now i go a zip file which contains node1.p12

this is my instance.yml

instances:
  - name: "node1"
    ip:
      - "135.249.153.2"
      - "127.0.0.1"
      - "10.233.120.68"
    dns:
      - "localhost"

this is my elasticsearch.yml file

cluster:
    name: quickstart
    routing:
        allocation:
            awareness:
                attributes: k8s_node_name
discovery:
    seed_hosts: []
    seed_providers: file
http:
    publish_host: ${POD_NAME}.${HEADLESS_SERVICE_NAME}.${NAMESPACE}.svc
network:
    host: "0"
    publish_host: ${POD_IP}
node:
    attr:
        k8s_node_name: ${NODE_NAME}
    name: ${POD_NAME}
    store:
        allow_mmap: false
path:
    data: /usr/share/elasticsearch/data
    logs: /usr/share/elasticsearch/logs
xpack:
    license:
        upload:
            types:
                - trial
                - enterprise
    security:
        authc:
            realms:
                file:
                    file1:
                        order: -100
                native:
                    native1:
                        order: -99
            reserved_realm:
                enabled: "false"
        enabled: "true"
        http:
            ssl:
                certificate: /usr/share/elasticsearch/config/http-certs/ca.crt
                certificate_authorities: /usr/share/elasticsearch/config/http-certs/ca.crt
                enabled: true
                key: /usr/share/elasticsearch/config/http-certs/ca.key
        transport:
            ssl:
                certificate: /usr/share/elasticsearch/config/node-transport-cert/transport.tls.crt
                certificate_authorities:
                    - /usr/share/elasticsearch/config/transport-certs/ca.crt
                    - /usr/share/elasticsearch/config/transport-remote-certs/ca.crt
                enabled: "true"
                key: /usr/share/elasticsearch/config/node-transport-cert/transport.tls.key
                verification_mode: certificate

can anyone please help?

Magnus_Kessler · December 12, 2023, 2:18pm

With ECK, certificates will be held as secrets in kubernetes. Please have a look at the TLS certificates section in the documentation for further details

shrikar18 · December 13, 2023, 5:35pm

hi @Magnus_Kessler ,
i have obtained the public certificate as mentioned in the documentation through the secrets and i have run this command from outside the pod [curl command](curl --cacert tls.crt -u elastic:$PASSWORD https://10.233.34.190:9200)

it gives curl: (56) Received HTTP code 504 from proxy after CONNECT
when i exec into the pod and go to /usr/share/elasticsearch/config/http-certs/
and try it with this [curl command](curl --cacert tls.crt -u elastic:1Rr583PE6JBUjHUU562v20om https://localhost:9200)
i get curl: (60) SSL: no alternative certificate subject name matches target host name 'localhost'

but in both cases iam able get the desired output if i try it with -k flag which excludes the certificate

system · January 10, 2024, 5:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.