I am running elastic 8.4. From the documentation, it says that the security is automatically enabled and configured. But when I get my elasticsearch running and visit https:localhost:9200 I get the message:
Your connection to this site is not secure
This is what my elastic.yml file looks like. Is there something else required from the user to configure security?
# Enable security features
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
node.data : true
network.host : 0.0.0.0
discovery.seed_hosts : []
discovery.type: single-node
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
enabled: true
keystore.path: certs/http.p12
# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
cluster.initial_master_nodes: ["${ELK_SERVER_IP}"]
# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0
there's no manual configuration. The only manual change was resetting the password. Could that be a reason? I also copied http_ca.crt from etc/elasticsearch/certs/http_ca.crt to /etc/logstash/certs
I guess you were connecting https://localhost:9200 using a browser.
The message Your connection to this site is not secure means the Browser does not trust the server (Elasticsearch)'s TLS certificate (i.e. certs/http.12). It is expected because the certificate is generated locally and not anchored to any publicly trusted CA.
Bottom line is: Security is enabled and TLS is in action. Otherwise you'll get a completely different error message like " This site can’t provide a secure connection".
Yes. Auto-configuration will reset the elastic user password the first time you start up a fresh install. If you manually reset the password, that can be a reason why auto-configuration was skipped.
Try a fresh install in a temporary folder, and run bin/elasticsearch. View the log and see if auto-configuration runs.
Auto-configuration will not generate a password for the elastic built-in superuser, as we cannot determine if there is a terminal attached to the elasticsearch process. You can use the `bin/elasticsearch-reset-password` tool to set the password for the elastic user.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.