Elasticsearch security warning when i connect to cluster from outside

Elastic Stack Elasticsearch
#1

Hello,

i was able to secure my elastic cluster with certificates generated from elasticsearch-certutil command, but i f try to open my node : https://elk-001:9200 from outside , receive warning from browser, about the certificates , firefox show me :

Someone could be trying to impersonate the site and you should not continue.
 
Websites prove their identity via certificates. Firefox does not trust elk-001:9200 because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.
 
Error code: SEC_ERROR_UNKNOWN_ISSUER
 
View Certificate

this is from edge:

    This server couldn't prove that it's **elk-001** ; its security certificate is from **elk-elastic- 
    cluster-node-1** . This may be caused by a misconfiguration or an attacker intercepting your 
    connection.

I installed on client ca.crt generated from elastic , but it wasn't helpful to solve the issue.
Can you help me?

#2

The certificate warning you receive is a valid one. Firefox and Edge ( as all browsers ) come with a predefined list of Certificate Authorities they trust to issue certificates for TLS and they only trust certificates signed by those. You have created your own certificates signed by a custom self generated CA with elasticsearch tooling and your browser tells you that it doesn't trust the certificate as it is not issued by one of the CAs it knows and trusts.

Your solutions are:

  • Install the CA certificate that was generated by the elasticsearch-certutil command as a trusted certfiicate authority in your browser settings. This will ensure that you don't get the warning any more but has 2 caveats. A) You need to make sure that CA key is stored securely and b) you need to install the CA certificate to all browsers/systems used to access that cluster.
  • Get yourself a TLS certificate for your domain by a well known and trusted CA and use that instead of the self-generated one.

BTW, Elasticsearch's REST API is not best consumed over a browser, how are you planning on interacting with it in the long run ?

What did you do, exactly?

#3

Thanks for reply,

I accessed from browser only to check if the cluster were in healthy status,
but it's probably something the QA wants.

On my machine, (im using windows 10), i have imported the CA, generated from elastic command elasticsearch-certutil, ca.crt under trusted root certification authority, and also, under intermediate certification authority.
But the warning is still there.

#4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.