Curl against an encrypted Elasticsearch instance with certificate verification

Elastic Stack Elasticsearch
2

Ok thanks to a colleague of mine I finally found how to make it work for a localhost instance (or cluster as in my case). Here are the steps:

  1. Create a file instance.yml like the following:

    instances:

    • name: 'node'
      dns: ['localhost']
      ip: ['127.0.0.1']

  2. Create the certificate with the following command of the certutil tool:

bin/elasticsearch-certutil cert --keep-ca-key ca --pem --in instance.yml --out certs.zip

It will spit out a zip file with the following structure (once extracted in the certs folder):

certs
├── ca
│   ├── ca.crt
│   └── ca.key
└── node
    ├── node.crt
    └── node.key

  1. Create a folder (e.g. certs) at the path $ES_HOME/config and copy the files ca.crt, node.crt and node.key in that folder.

  2. Configure the ssl part in the elasticsearch.yml file as following:

    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.key: certs/node.key
    xpack.security.http.ssl.certificate: certs/node.crt
    xpack.security.http.ssl.certificate_authorities: ["certs/ca.crt"]
    xpack.security.transport.ssl.key: certs/node.key
    xpack.security.transport.ssl.certificate: certs/node.crt
    xpack.security.transport.ssl.certificate_authorities: ["certs/ca.crt"]

  3. Start Elasticsearch

  4. Set up authentication with

bin/elasticsearch-setup-passwords interactive

  1. Now you can cURL elasticsearch without ignoring the certificate with

curl --cacert $ES_HOME/config/certs/ca.crt -XGET "https://localhost:9200" -u elastic

  1. If you want to have a Kibana instance connecting to the ES instance with full verification mode (without skipping the hostname verification) you can create a folder in the $KIBANA_HOME/config folder (e.g. certs) and copy there the ca.crt certificate file. Then, in your $KIBANA_HOME/config/kibana.yml file you set:

    elasticsearch.hosts: ["https://localhost:9200"]
    elasticsearch.ssl.certificateAuthorities: [ "config/certs/ca.crt" ]
    elasticsearch.ssl.verificationMode: full
    elasticsearch.username: "kibana_system"
    elasticsearch.password: "pwd-you-set-for-kibana_system-user"

P.S. note that full is the default value for elasticsearch.ssl.verificationMode, so no need to specify it.

Hope it helps anybody trying to set a local instance with certificates to carry out tests like me.

1 Like