Enable TLS on 6.8.6 for Oauth Integration

Hi,

I need to integrate an ELK cluster running in K8 with keycloak for User Authentication.
Seems first i need to enable TLS security for which i have already created the certificates and copied them. Also i have set all the TLS related configuration in elasticsearch.yml.

    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

But after deploying the new image with the certificates the cluster is not coming up.

master logs:

[2020-06-17T22:31:10,315][INFO ][o.e.t.TransportService   ] [mon-elasticsearch-master-0] publish_address {192.168.155.33:9300}, bound_addresses {192.168.155.33:9300}
[2020-06-17T22:31:11,424][INFO ][o.e.b.BootstrapChecks    ] [mon-elasticsearch-master-0] bound or publishing to a non-loopback address, enforcing bootstrap checks
[2020-06-17T22:31:11,492][WARN ][o.e.d.z.UnicastZenPing   ] [mon-elasticsearch-master-0] failed to resolve host [mon-elasticsearch-discovery]
java.net.UnknownHostException: mon-elasticsearch-discovery: Name or service not known
	at java.net.Inet4AddressImpl.lookupAllHostAddr(Native Method) ~[?:?]
	at java.net.InetAddress$PlatformNameService.lookupAllHostAddr(InetAddress.java:930) ~[?:?]
	at java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1499) ~[?:?]
	at java.net.InetAddress$NameServiceAddresses.get(InetAddress.java:849) ~[?:?]
	at java.net.InetAddress.getAllByName0(InetAddress.java:1489) ~[?:?]
	at java.net.InetAddress.getAllByName(InetAddress.java:1348) ~[?:?]
	at java.net.InetAddress.getAllByName(InetAddress.java:1282) ~[?:?]
	at org.elasticsearch.transport.TcpTransport.parse(TcpTransport.java:536) ~[elasticsearch-6.8.6.jar:6.8.6]
	at org.elasticsearch.transport.TcpTransport.addressesFromString(TcpTransport.java:489) ~[elasticsearch-6.8.6.jar:6.8.6]
	at org.elasticsearch.transport.TransportService.addressesFromString(TransportService.java:743) ~[elasticsearch-6.8.6.jar:6.8.6]
	at org.elasticsearch.discovery.zen.UnicastZenPing.lambda$resolveHostsLists$0(UnicastZenPing.java:189) ~[elasticsearch-6.8.6.jar:6.8.6]
	at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:681) [elasticsearch-6.8.6.jar:6.8.6]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
	at java.lang.Thread.run(Thread.java:830) [?:?]
[2020-06-17T22:31:14,524][INFO ][o.e.c.s.MasterService    ] [mon-elasticsearch-master-0] zen-disco-elected-as-master ([0] nodes joined), reason: new_master {mon-elasticsearch-master-0}{mjVVKyUKTvam1KKQ9zlQ7w}{QBQoJVoBSsKTR3I0cuwGFg}{192.168.155.33}{192.168.155.33:9300}{xpack.installed=true}
[2020-06-17T22:31:14,530][INFO ][o.e.c.s.ClusterApplierService] [mon-elasticsearch-master-0] new_master {mon-elasticsearch-master-0}{mjVVKyUKTvam1KKQ9zlQ7w}{QBQoJVoBSsKTR3I0cuwGFg}{192.168.155.33}{192.168.155.33:9300}{xpack.installed=true}, reason: apply cluster state (from master [master {mon-elasticsearch-master-0}{mjVVKyUKTvam1KKQ9zlQ7w}{QBQoJVoBSsKTR3I0cuwGFg}{192.168.155.33}{192.168.155.33:9300}{xpack.installed=true} committed version [1] source [zen-disco-elected-as-master ([0] nodes joined)]])
[2020-06-17T22:31:14,556][INFO ][o.e.h.n.Netty4HttpServerTransport] [mon-elasticsearch-master-0] publish_address {192.168.155.33:9200}, bound_addresses {192.168.155.33:9200}
[2020-06-17T22:31:14,556][INFO ][o.e.n.Node               ] [mon-elasticsearch-master-0] started

But I see that the discovery service is up and running. And as seen in the log the master node is actually started but not able to join the cluster.

The error you get is unrelated to TLS and to oAuth2 (I guess you mean OpenID Connect, as we don't support oAuth2 ). The error you get seems related to the mon-elasticsearch-master-0 that you have set in one of the discovery settings, and which can't be resolved. If you share your configuration, someone might help you spot the error

@ikakavas, thank you for your prompt response.
Yes, you are correct the error is not related to TLS but strangely as soon as I turn off TLS security the cluster come up without any error. I'm using helm charts from

I m trying to integrate with keycloak using OpenID Connect which i guess is the right way to go. Though I was not able to find any documentation for OpenID Connect under 6.8 version (only SAML) but i assume its supported.

It actually isn't. It was introduced in 7.2.0

@ikakavas Thanks for the confirmation. I had following configuration set for TLS:

    xpack.ml.enabled: false
    xpack.monitoring.enabled: true
    xpack.security.enabled: true
    xpack.watcher.enabled: false
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

When i turn xpack.security.enabled to false it works fine.

Appreciate you help.

Thanks.

Apologies but I cant really see how setting xpack.security.enabled: true causes the error and logs you present in your first post.

I assume it's another setting as I mentioned above and the only way to help you is if you share your entire config (optimally the one that works and the one that doesn't)

@ikakavas Thank s for your help. Seems it was issue with my helm charts. I used following
https://github.com/elastic/helm-charts/tree/master/elasticsearch and they work seamless. Just for reference to others the most import step is generate your certs separately before deploying in K8.

Thanks,

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.