Enabling TTL & RBAC on an existing cluster with Indexes


Below is the scenario.

I have a multi-node Elasticsearch cluster with indices. I want to enable the TTL,RBAC security on it.

If I follow the steps given in the documentation, would that work?
As there are indices already on it, I want to know if any precaution I need to take while working through the steps to enable TTL, RBAC.


Yes :slight_smile:

Just keep in mind that now, all your users have access to all the indices. When you enable security, the users that will be authenticating will not by default have access to any indices as you will need to create and assign them roles that give them the required access to indices ( This is what RBAC is ).

Thanks @ikakavas.

After setting up the TLS & RBAC, I am trying with below curl command. But is it giving me error.

curl -X GET --cacert -/etc/elasticsearch/cert/HOST_IP.p12 --user user:pass "https://HOST_IP:9200/_cat/indices?v"


curl: (77) Problem with the SSL CA cert (path? access rights?)

I even tried with elastic-ca-cert.p12 file, but same error.
I have given full permission to the .p12 files.

I could get response using -k option but I want to use --cacert option.


This is a curl question rather than an Elasticsearch one.

curl can't read CA certificates from PKCS#12 stores so you need to export the CA certificate in PEM format. Try

openssl pkcs12 -in elastic-ca-cert.p12 -cacerts -nokeys | sed '/-----BEGIN CERTIFICATE-----/,$!d' > cacert.crt


curl -X GET --cacert <changethis/to/the/path/to/cacert.crt> --user user:pass "https://HOST_IP:9200/_cat/indices?v"
1 Like

@ikakavas: Should I be generating .cert file from elastic-stack-ca.p12 (generated from elasticsearch-certutil ca - this would mean same .cert file across cluster) or the node specific .p12 files (.cert file for each node)?


You should be using the same CA for all your nodes in your cluster, so you should have one elastic-ca-cert.p12 file, and it should be enough that curl trusts this CA certificate.

I'm using should as you haven't shared anything with us about your setup, so all we can do is guess :slight_smile:

@ikakavas: I have followed the default steps given in the documentation:

  1. generated CA
  2. generated multiple certificates using IP, moved them to other nodes and placed them on /etc/elasticsearch/certs directory. Given permissions.
  3. added required configurations for TSL and HTTP in elasticsearch.yml file
  4. Generated passwords for built-in users.

With elasticsearch-certutil ca, it generated elastic-stack-ca.p12 file and with elasticsearch-certutil cert, I generated multiple HOST_IP.p12 files for nodes which i moved in step 2 above.

As you have already said there should be one elastic-ca-cert.p12, I believe you are referring to the file generated by elasticsearch-certutil ca.

Correct me if I am wrong here.

I tried with elastic-stack-ca.p12 and it works for me.

Thanks again.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.