I am setting up a demo Elasticsearch server to take it for a spin on my Wordpress sites using ElasticPress plugin.
I have Elasticsearch setup properly, and Kibana as well in Debian on an OVH virtual machine to test.
The Elasticsearch server is listening on the public IP, but I am having trouble with any details about how to configure authentication for ElasticPress plugin.
There is much documentation that shows how to configure ElasticPress when the search server is running locally on the web server using localhost and no authentication, but in this case it's remote.
I've created a user and password in Kibana, and it doesn't seem to be working, though something seems to be hitting the serarch server depending on the way I configure the EP_HOST. When I use http in it
so just getting back to this again after a great vacation.
ElassticSearch did get setup with the default shared ssl certificates it generated. is this what we're saying needs to be updated to use one that is not self-signed?
When Elasticsearch auto generates certificates for HTTPs, it does so with the following configuration:
One http certificate on each node, with the hostname & IP address according to its best understanding of the hostname & IP address the node is using. That can be imperfect, because it doesn't necessarily know all of the DNS or IP addresses that can be used to address the machine. It just relies on the configuration it has, and does not, for example do a reverse DNS lookup for the host.
Each node certificate is signed by the same shared Certificate Authority, which was automatically generated by the first node.
It also generates a different set of certificate for communication between nodes (the transport port), but they aren't relevant here.
By default nothing that connects to Elasticsearch will know that it should trust that certificate authority. It's not a public CA, so curl doesn't know about it, and neither does ElasticPress.
Unless you replace the auto-generated certificates with something that is signed by a public CA (which you can do, if you wish), everything that connects to your Elasticsearch nodes will need to be configured to trust the CA.
For curl, there are three options:
Use the -k / --insecure option which tells curl to trust anything it finds. This is typically fine when you're working on your local network because you know what is listening on 127.0.0.1:9200 or 192.168.1.10:9201 and the chances of getting rerouted to another malicious server are incredibly slim. It's less safe if you're routing traffic over a public network.
Use the --cacert or --capath options to configure curl to trust your CA.
Add your Elasticsearch CA to curl's trust store so that it always trusts it by default.
For Kibana there are a few options, but the most common are:
Use an enrollment token, which has all the information Kibana needs, and it will automatically configure itself to do the right thing.
Configure kibana.yml by hand and set elasticsearch.ssl.certificateAuthorities
Unfortunately I can't find any documentation describing how to configure CAs for ElasticPress - their docs for working with self-hosted Elasticsearch seem to be very limited.
Since your Elasticsearch server is listening on a public IP address, you could probably reconfigure it to use a trusted CA like "Let's Encrypt", however the instructions for doing that are a bit more complicated than I can cover here.
yeah, so just coming back to this now. the Elastic Search utility to make CSRs doesn't let you specify address details, and then when you try to supply it to the CA to sign a certificate you get an error saying that the City is missing . . so it's a circular loop.
Is it ok to just dive into the OS and make SSLs the regular way, and then configure Elasticsearch to use them the normal way instead of with the cert utility?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.