Difficulty getting SSL working, ES, Beats in Docker

thech · February 13, 2022, 8:30pm

I'm setting up an Elastic Stack on a single host Docker Compose. I'm using Elasticsearch, Kibana, and a simple Metricbeat to look at system metrics.

I'm having an issue getting the right combination of SSL certs/keys to get Metricbeat talking to ES. I lack security experience and have been trying to follow each guides recommended setup, but the Beat is giving me ERROR x509: certificate signed by unknown authority when testing the output.

I'm using the elasticsearch-certgen tool to create the CA and keys I need for my cluster.

elasticsearch-certgen -s --in certgen.yml --out ./config/certs/certificate-bundle.zip

simple input file certgen.yml

instances:
  - name: "elasticsearch"
  - name: "kibana"
  - name: "beat"

These produce a zip with the following artifacts

certs/
├── beat
│   ├── beat.crt
│   └── beat.key
├── ca
│   ├── ca.crt
│   └── ca.key
├── elasticsearch
│   ├── elasticsearch.crt
│   └── elasticsearch.key
├── kibana
    ├── kibana.crt
    └── kibana.key

Metricbeat has the following configuration

output.elasticsearch:
  hosts: ["https://localhost:9200"]
  ssl:
    enabled: true
    certificate_authorities: /data/certs/ca/ca.crt
    certificate: /data/certs/beat/beat.crt
    key: /data/certs/beat/beat.key

From the metricbeat container, testing the output fails as follows

$ metricbeat test output 
elasticsearch: https://localhost:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security... WARN server's certificate chain verification is disabled
    handshake... ERROR x509: certificate signed by unknown authority

I expected my beat.crt to be signed by the authority given by certificate_authorities: /data/certs/ca/ca.crt, the error indicates otherwise.

I'm using Docker Compose to launch my services. Elasticsearch and Kibana are in the same network and use Docker's DNS for elasticsearch:9200 and kibana:5601 respectively.

The Beat uses host networking and reaches out to 127.0.0.1:9200. I had this working using the output.elasticsearch.ssl.ca_trusted_fingerprint beat configuration option with the default http_ca.crt, but have not been able to get comms up with the certificate and key options, which I would rather use with the rest of the ELK stack.

How do I use these tools to create keys and certs for a trusted network while I test locally?

system · March 13, 2022, 8:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.