I have a single instance of Elastic Search 8.6.2 installed on a redhat server. No cloud, No docker and single node, very simple install. We need SSL enabled and configured to use a 3rd party certificate we can't use Elasticsearch self-signed certificate. Could someone please point me in the documentation of Elastic Search for this configuration. Thanks
Just generate your certs and then make them available and configure and use them. I used lets encrypt below works fine for HTTPS interface. Note it is still recommended to use self-signed for transport or at least use separate certs etc.
All the settings are HTTP here and Transport Here
# Enable security features
xpack.security.enabled: true
xpack.security.http.ssl:
enabled: true
certificate: certs/fullchain.pem <!--- Lets Encrypt
key: certs/privkey.pem
# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12 <!- Self Signed
truststore.path: certs/transport.p12
Thank you for the quick response. Sorry should have mentioned we can't use http interface. We can only use https and nothing self-signed
Sorry when I say HTTP I mean HTTP(s)
That example above is HTTPS!
For the transport, you can absolutely use your own certs we just recommend to use separate certs.
Generate your certs, put them in the config folders, make sure they are readable and properly config. Support PEM and P12s
No rocket science just normal cert magic
ok will give it a try and let you know how it goes. thanks
to be clear this enables SSL on the HTTP REST Interface
We call it the HTTP interface as transport is binary.
So technically you enable SSL on the HTTP interface
Hope that makes sense
yep that makes sense. My goal is to make a curl call using https protocol call to Elasticsearch like this
curl --location --request GET 'https://servername:9200/engine-int/_search?pretty' --header 'Content-Type: application/json' --header 'Authorization: Basic <base64 user:password>' --data '{
"query": {
"match_all": {}
}
}
For http this is working I need it to work https
Thanks
Yup ... I use let's encrypt certs and do it all the time.
If you have your own CA it will need to be trusted by your client apps / curl etc
One last question, I hope does user elasticsearch need to be the owner of the pem files in the cert/ directory? Thank
They need to be readable by the elasticsearch process, you chose your least privilege model
Once I got by the file privileges. It is WORKING . Thank you for your help.
sorry spoke to soon
'''
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
'''
Not working
So you are using your own CA not public CA.
Try this...
curl -v -u elastic --cacert /fullpathtoCA.pem https://elastichost:9200
Your clients will need your CA or it will needed to be added to the clients host CA trust store.
Nothing unusual/ elasticsearch special about this... All Normal cert stuff would be exactly the same if you were using Apache or Nginx.
I create a CSR uploaded to CA
Certificate was created and "Download Certificate mv (w/ chain), PEM encoded by Setigo"
filename setigo.cer
This not working
curl -v -u elastic:password --cacert /etc/elastic/cert/setigo.cer https://elastichost:9200
The client in this case is curl on remote host
First please always show the comand AND response, can't help you without responses.
This needs to be the CA, not the cert.
--cacert /etc/elastic/cert/setigo.cer
Get your cert expert to get you the CA
So yes they will need the CA or that CA will need to be part of that host CA Truststore
OR you can run curl --insecure
or -k
which does not validate the cert and is not recommended.
Sorry about that this was the response.
From above in thread you wrote
"Generate your certs, put them in the config folders, make sure they are readable and properly config. Support PEM and P12s"
So in Elasticsearch yml has reference to pem encoded cert.
and curl command line --cacert needs to be the CA
Not sure what this "This needs to be the CA" means but I guess that is why you suggested "Get your cert expert to get you the CA" Thank you
A CA is a Certificate Authority little explanation.
I assumed CA was for Cert Authority I don't under stand your comment in the context of a curl command.
Did you mean the CA store file for the host and not the setigo.cer file?
Thanks