Clean Install 8.10 Security Configuration

mgriffith · October 21, 2023, 3:33pm

I've been testing Elastic 7.17 in single-node configuration and have successfully configured minimal and basic security.
Now I'd like to setup a new 3-node cluster on the latest version (8.10), but can't for the life of me get the cluster security working. All 3 nodes are up and running with no security.
I've tried following the official guide to the letter and it's failed miserably every time. Fixing one issue creates three more and I've been chasing them for a week now, constantly reverting to the original VMware snapshot to try again.
I've also tried other guides but they all seem to have different methods for implementing security.
So, does anyone know of a guide for 8.10 that actually works?
Thanks!

stephenb · October 21, 2023, 3:44pm

Hi @mgriffith Welcome to the community

Sorry you are struggling

When you say clean install you mean a fresh install not and upgrade correct?
And Clean means clean ... clean up what ever you have tried... so far

So tell us more because we can't help without specifics... and yes many people have installed 8.x using our docs, sometimes smooth...sometimes not.

Elastic Security is automatically set up if you do one of the default install methods.

Please start with
Exact Version you are trying to install
What OS?
What install Method (tar.gz, deb, rpm, windows)?
Automatic security, or do you want to do manual security?

Then for example, I would recommend following our official docs like this for .deb

Then come with a specific question / error etc. we have helped many to get up and running, but we can not help without specifics.

The to add more nodes here

Let us know...

mgriffith · October 21, 2023, 3:55pm

Sorry...
Yes, fresh clean install.
Version: 8.10.4.
Server OS: Ubuntu 20.04.
Installed tar.gz method as per this guide...fosstechnix.com/how-to-install-elastic-stack-8-on-ubuntu-20-04/).

Yes, I'm trying to do manual security as the tar.gz install had security enabled but not configured so I followed your guide on how to do it manually, as well as a few others.
I took snapshots after a successful baseline installation (filebeat, elastic, kibana and logstash) so I could revert back after failure and try again.
There were so many errors I don't know where to start. I've since reverted to the baselin snapshot.
So you suggest starting over with .Deb package install?

stephenb · October 21, 2023, 4:15pm

It depends on what you are trying to accomplish... for prod ... I would use a package... to learn the first time I might try tar.gz

Turns out Security for 7.17 and 8.x are the same except 8.x will set it up automatically for you, but you can go in after and just set up the certs afterward if you want just like you did in 7.17

With 8.10 you should set up 1 node get it all setup up. Then Setup another node (with discover settings) then enroll the new node with the method in the docs.

What method depends on what you are trying to accomplish...

if you DO NOT want auto security put this in the elasticsearch.yml FIRST before starting it

xpack.security.autoconfiguration.enabled: false

If you want to try tar.gz again I did a super simple setup here ... this me is

1 would get 1 node setup fully secured first.

Then repeat and enroll or if you do manual setup manually

I may not get back to you for a while...

mgriffith · October 21, 2023, 4:19pm

Yes, I was working on node 1 exclusively before working on nodes 2 and 3. I'll try the guide you posted.

Thanks!

leandrojmp · October 21, 2023, 9:28pm

I wrote a small blog post last year about setting up a 3-node Elasticsearch 8.X cluster + 1 Kibana node where you manually configure the security settings.

It is based on a rpm distribution, but the settings are the same for deb and tar.gz, you would need only to validate/change some paths.

You can find it here.

mgriffith · October 22, 2023, 12:47pm

Thanks I'll give this a shot today.

mgriffith · October 22, 2023, 1:00pm

One more question. So I'm going to spin up a new Kibana server as per your instructions and see how it goes, then add my three existing elastic nodes.

I plan on monitoring about 400 servers and network devices. Does the Kibana server require a lot of compute resources or what's sufficient to run just Kibana.

I've seen that with just 14 nodes for about three weeks on my 7.10 single-node server and the 100GB disk I've allocated is rapidly filling up. What would your recommendations be for the storage allocation on the three elastic nodes, which currently have 100GB disks?

Thanks again.

apsh · October 23, 2023, 2:49am

I was stuck for two days to up basic auth for Kibana version 8X. Thank you for your excellent article it solved my problem.

mgriffith · October 24, 2023, 5:35pm

I've gone through your guide and for whatever reason, Elastic is still looking for the wrong certs, which obviously don't exist... "cannot read configured [PKCS12] keystore [/etc/elasticsearch/certs/http.p12] because the file does not exist."

stephenb · October 24, 2023, 5:43pm

Is this with the package / deb install or tar.gz?

Assuming the file is there, that is usually a file permission issue.

Show the following

cd /etc/elasticsearch
ls -la
cd certs
ls -la

leandrojmp · October 24, 2023, 5:48pm

On the guide that I shared I do not use any .p12 certificate, nor any certificated named http.p12, so this is some left-over of previous attempt.

I would recommend that you doublecheck it if you want to follow that guide.

mgriffith · October 24, 2023, 5:50pm

Your instructions specifically say to delete the directories that contain those certs.

Sorry, replied to wrong person.

mgriffith · October 24, 2023, 5:54pm

Exactly my point. I'm not new to this, but I must say that I'm getting to the point, after two weeks, to tell my boss we should stick with Solar winds. this is ridiculously difficult to setup, and I'm no amateur either. I followed your instructions to the letter...

$ sudo rm -rf /etc/elasticsearch/certs
$ sudo rm -f /etc/elasticsearch/elasticsearch.keystore


And then set the elasticsearch config as this:

# Enable security features
xpack.security.enabled: true
xpack.security.autoconfiguration.enabled: false
# transport ssl
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: certs/elastic-01/elastic-01.key
xpack.security.transport.ssl.certificate: certs/elastic-01/elastic-01.crt
xpack.security.transport.ssl.certificate_authorities: certs/ca/ca.crt
## http ssl
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: certs/elastic-01/elastic-01.key
pack.security.http.ssl.certificate: certs/elastic-01/elastic-01.crt
xpack.security.http.ssl.certificate_authorities: certs/ca/ca.crt

stephenb · October 24, 2023, 6:04pm

TYPO? missing x?
xpack.security.http.ssl.certificate: certs/elastic-01/elastic-01.crt

it then may be defaulting to the default setting...

mgriffith · October 24, 2023, 6:06pm

I hate my life!!! Hahaha. Thanks!

stephenb · October 24, 2023, 6:29pm

we have ALLLLL been there!

system · November 21, 2023, 6:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.