Encrypting Communications in an Elasticsearch Docker Image


#1

I'm going over Encrypting Communications in an Elasticsearch Docker Image | Elasticsearch Reference. While preparing the environment, I had to create instances.yml file, which will be used by create_certs later on.

Can someone shed some light on what is dns vars for, especially localhost part. Is that being part of FQDN for node?

Thanks in advance.


(Magnus Kessler) #2

The content of the dns and ip section is translated into a Subject Alternative Name inside the generated certificates. Usually, you would put the hostname and/or the FQDN of your server here. Under docker, Elasticsearch binds to the localhost interface of the container, and external mapping is done via docker. AFAIK, for this to work correctly in a docker-compose setup, the IP address (127.0.0.1) and DNS name of the localhost interface have to be added to the SAN as well.


#3

if I already have wildcard certificate that I'm paying for, would that makes any sense to use that certificate for nodes as well?


(Magnus Kessler) #4

I haven't tried this myself, yet, to use a wildcard certificate issued by one of the trusted CAs. However, you should be able to adjust the instructions to replace the self-signed certificates with those obtained from your CA.

If things go wrong, there are various settings that change the ssl.verification_mode, that can be used to relax the verification policy in use. Depending on where errors occur, you may want to relax the setting to e.g. certificate. See the documentation for more details.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.