Elasticsearch 8.9.1 - How to extract the self-signed CA and server cert

Hi there,

Elasticsearch v 8.9.1 installed via ES apt repo on ubuntu 22.04.

I need to extract the self-signed CA and https cert from my elasticsearch 8.9.1 setup to copy to a gitlab instance for https connections. I've done the following to extract the CA and server crt; can someone please confirm this is correct?

openssl pkcs12 -in /etc/elasticsearch/http.p12 -cacerts -nokeys -out CA.crt
openssl pkcs12 -in /etc/elasticsearch/http.p12 -clcerts -nokeys -out server.crt

I need to confirm as when I copy the above CA.crt and server.crt to my gitlab server into the trusted-certs dir, run gitlab-ctl reconfigure, and then use the gitlab embedded openssl to connect to my ES instance I get an error of verify error:num=19:self signed certificate in certificate chain.

Before I make a post on the gitlab support site about why my self-signed cert/CA arent being recognized I'd like to confirm that I am indeed extracting the CA and server certs from ES correctly.

Thanks!

Hi @saltspreader welcome to the community!

First you should have got a http_ca.crt if you did the default install

$ ls certs/
http.p12        http_ca.crt     transport.p12

2nd try with a curl to make sure you have the correct CA this should work

curl -v --cacert /path/to/http_ca.crt -u elastic https://elastichost:9200

If that works then then I would move on to Git Lab...
I suspect you will need to reference the CA for the GitLab Connection
or install it in the OS root trust keystore for CAs on the Client Ubuntu Server

Deleted my comments from 5 mins ago.

I think I've sorted my issue based on your curl syntax above. I've been using port 9300, which I (incorrectly) assumed was the https port.

Doing a curl as you suggest above to port 9200 on my ES server from my gitlab server works just fine.

Thanks!