Configure TLS/SSL for elasticsearch using Letsencrypt issue

Hi all, I'm trying to configure TLS connection for elasticsearch using helm package, here is current configuration:

    protocol: https
    secretMounts:
      - name: certall
        secretName: certall
        path: /usr/share/elasticsearch/config/certs
        defaultMode: 0755
    masterService: "elasticsearch-master"
    esConfig:
      elasticsearch.yml: |
        xpack.security.enabled: true
        xpack.security.transport.ssl.enabled: true
        xpack.security.transport.ssl.verification_mode: certificate
        xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certs/certall.key
        xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/certall.crt
    extraEnvs:
      - name: ELASTIC_PASSWORD
        valueFrom:
          secretKeyRef:
            name: elastic-credentials
            key: password
      - name: ELASTIC_USERNAME
        valueFrom:
          secretKeyRef:
            name: elastic-credentials
            key: username

I create kubernetes secret using this commands:
kubectl create secret generic certall --from-file=cert.pem

The lets encrypt certification folder has 2 files that I need: fullchain.pem and privkey.pem, so basically what I've done is to copy the content of those both files into the file named cert.pem as you can see. Then mount it as a secret to pod.

The problem that I keep running into is

ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to create trust manager]; nested: ElasticsearchException[failed to initialize a TrustManagerFactory]; nested: ElasticsearchException[failed to initialize SSL KeyManager - certificate file [/usr/share/elasticsearch/config/certs/certall.crt] does not exist]; nested: NoSuchFileException[/usr/share/elasticsearch/config/certs/certall.crt];
Likely root cause: java.nio.file.NoSuchFileException: /usr/share/elasticsearch/config/certs/cert-chain.crt at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92) at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106) at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218) at java.base/java.nio.file.Files.newByteChannel(Files.java:375) at java.base/java.nio.file.Files.newByteChannel(Files.java:426) at java.base/java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420) at java.base/java.nio.file.Files.newInputStream(Files.java:160) at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readCertificates(CertParsingUtils.java:97) at org.elasticsearch.xpack.core.ssl.PEMKeyConfig.getCertificateChain(PEMKeyConfig.java:80) at org.elasticsearch.xpack.core.ssl.PEMKeyConfig.createTrustManager(PEMKeyConfig.java:128) at org.elasticsearch.xpack.core.ssl.TrustConfig$CombiningTrustConfig.lambda$createTrustManager$0(TrustConfig.java:168) at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271) at java.base/java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:948) at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) at

I'm not sure if there is any wrong with it, it's obvious that I mounted it into the pod with the correct path, but it said the cert file didnt exist. I also created 2 secrets corresponding to 2 files fullchain.pem and privkey.pem and change the path but no luck, it can't find the files.

Any help would be appreciated. Thanks a lot!

I don't know why exactly but after several tries I can finally see the secret mounted into the pods so that I can use it

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.