I'm setting up an Elastic Stack on a single host Docker Compose. I'm using Elasticsearch, Kibana, and a simple Metricbeat to look at system metrics.
I'm having an issue getting the right combination of SSL certs/keys to get Metricbeat talking to ES. I lack security experience and have been trying to follow each guides recommended setup, but the Beat is giving me ERROR x509: certificate signed by unknown authority
when testing the output.
I'm using the elasticsearch-certgen
tool to create the CA and keys I need for my cluster.
elasticsearch-certgen -s --in certgen.yml --out ./config/certs/certificate-bundle.zip
simple input file certgen.yml
instances:
- name: "elasticsearch"
- name: "kibana"
- name: "beat"
These produce a zip with the following artifacts
certs/
├── beat
│ ├── beat.crt
│ └── beat.key
├── ca
│ ├── ca.crt
│ └── ca.key
├── elasticsearch
│ ├── elasticsearch.crt
│ └── elasticsearch.key
├── kibana
├── kibana.crt
└── kibana.key
Metricbeat has the following configuration
output.elasticsearch:
hosts: ["https://localhost:9200"]
ssl:
enabled: true
certificate_authorities: /data/certs/ca/ca.crt
certificate: /data/certs/beat/beat.crt
key: /data/certs/beat/beat.key
From the metricbeat container, testing the output fails as follows
$ metricbeat test output
elasticsearch: https://localhost:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security... WARN server's certificate chain verification is disabled
handshake... ERROR x509: certificate signed by unknown authority
I expected my beat.crt
to be signed by the authority given by certificate_authorities: /data/certs/ca/ca.crt
, the error indicates otherwise.
I'm using Docker Compose to launch my services. Elasticsearch and Kibana are in the same network and use Docker's DNS for elasticsearch:9200
and kibana:5601
respectively.
The Beat uses host networking and reaches out to 127.0.0.1:9200
. I had this working using the output.elasticsearch.ssl.ca_trusted_fingerprint
beat configuration option with the default http_ca.crt
, but have not been able to get comms up with the certificate
and key
options, which I would rather use with the rest of the ELK stack.
How do I use these tools to create keys and certs for a trusted network while I test locally?