[Elastic Cloud] Configuring trust with clusters in a self-managed environment

I have two ES clusters:

  1. Elastic Cloud (all the data is here)
  2. Self-managed cluster (no data, will use for cross-cluster-search in Elastic Cloud)

I want the cluster #1 to trust #2, so I can use CSS. So I'm following your guide.

1. Creating the CA cert

I run: bin/elasticsearch-certutil ca, obtaining this file elastic-stack-ca.p12.

2. Adding the CA cert to Elastic Cloud

Now I go to the Elastic Cloud console, and try to upload this CA cert, but I get this error:

Certificate is not valid. Reason: [Unexpected error parsing certificate]

I cannot understand what I'm doing wrong!

Made it work generating local certificates CA in pem format:

  1. bin/elasticsearch-certutil ca --pem
  2. Now you have a dir ca/ with two files: ca.cer, and ca.key.
  3. Rename ca/ca.cer to ca/ca.pem
  4. Now the GUI will accept it

So now I know how to upload a certificate authority pem to Elastic Cloud, good.

As a proof of concept, I now created a VPS with a super basic Elasticsearch and Kibana 8.3.3 downloaded via apt-get.

I used the automatically created certificates, and got Kibana working using an enrollment token, so Elasticsearch (single node) and Kibana listen to the public interface, and are working correctly.

Now, I would like to upload the certificate authority PEM automatically generated for this cluster, but under the /etc/elasticsearch/certs I can only see:

ls /etc/elasticsearch/certs

http_ca.crt  http.p12  transport.p12

I proceed to upload to Elastic Cloud the http_ca.crt, it works, but: is this the correct file?

Some guidance is requested for further steps :pray:

@Larry_Gregory can you throw some insights into this when u find time.


Hi, any updates on this?

Yes some headway and YES it does work

This is literally brand new functionality release a couple weeks ago... specifically CCS Self Managed to ESS the trust stuff is pretty low level.

BUT Apologies It is pretty hard but can be done, and I don't think you would be able to do it with the current docs and errors messages.,, I could not,.

One of the PMs walked through the steps it is non-trivial I will need to try to repeat them.

Unfortunately I am away from the office till next week.., after I try it I can get back OR you can contact sales and get a Solution Architect (which I am as well but probably not your account) ,,, but I would be surprised if that turn around would be quicker ...

Hi @stephenb, thanks for your answer.

From our side, we can handle until next week. The important part for today is that you can confirm this integration model is something that is possible, and you intend to support as part of the Elastic Cloud offer in the future.

From a consultancy standpoint, knowing we have this route available is a breath of fresh air, as it opens up the route for hybrid systems where:

  • Elastic takes care of keeping the data safe, fast, and available
  • The customer has virtually no switching cost in migrating to the cloud, as we can keep the custom access-control plugins with years worth of configuration in place.

We will use this time to create a docker-compose PoC, where we simulate Elastic Cloud as a regular single-node cluster (with SSL enabled).

Next week, with some more guidance on Elastic Cloud "trust with self-managed clusters" feature, we will hopefully be just "swapping cables" and everything should work as with our docker stub🤞

Thanks for now!

Our PoC were successful: simulating Elastic Cloud with a vanilla ES cluster with SSL enabled worked like a charm. We are now ready to jump onboard your cloud offering as soon as we get some assistance with the certificates.

It's OK if an engineer or solution architect contacts me via email.

just side note
use --days and put large number or else your self certificate will expire in three year.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.