I am having trouble configuring the enterprise-search.yml. Specifically, it is unclear to me how to proceed with configuring enterprise search when the ssl method of configuring the elasticsearch cluster and the kibana were done through the automated method involving enrollment tokens, etc. But it seems that enterprise search potentially wants something much more involved than these automated methods. I am hoping to secure some assistance on how to proceed. To be clear, I have a four node cluster of elasticsearch up and running using https, and all nodes are talking to each other. I also have kibana set up using https, and it is talking with elasticsearch. I also have enterprise search installed and running (active) via systemctl. But I can't get enterprise search to connect to elasticsearch and kibana, because I am unclear on how to configure the enterprise-search.yml correctly. Also, and importantly, this is being run on premise.
Let me give you the relevant pieces of my YAML files:
elasticsearch.yml:
# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
network.host: 192.168.1.60
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
discovery.seed_hosts:
- 192.168.1.60:9300
- 192.168.1.43:9300
- 192.168.1.61:9300
- 192.168.1.63:9300
# --------------------------------------------------------------------------------
# Enable security features
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
enabled: true
keystore.path: certs/http.p12
# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
cluster.initial_master_nodes: ["node1"]
# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0
kibana.yml:
# =================== System: Kibana Server ===================
# Kibana is served by a back end server. This setting specifies the port to use.
server.port: 5601
# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: "0.0.0.0"
# Specifies the public URL at which Kibana is available for end users. If
# `server.basePath` is configured this URL should end with the same basePath.
server.publicBaseUrl: "https://192.168.1.54:5601"
# The maximum payload size in bytes for incoming server requests.
#server.maxPayload: 1048576
# The Kibana server's name. This is used for display purposes.
server.name: "es-cluster-kibana"
# =================== System: Kibana Server (Optional) ===================
# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
server.ssl.enabled: true
server.ssl.certificate: /usr/share/kibana/certs/cert.pem
server.ssl.key: /usr/share/kibana/certs/key.dec.pem
=================== System: Elasticsearch ===================
# The URLs of the Elasticsearch instances to use for all your queries.
#elasticsearch.hosts: ["http://localhost:9200"]
elasticsearch.hosts: ['https://192.168.1.60:9200','https://192.168.1.43:9200','https://192.168.1.61:9200','https://192.168.1.63:9200']
# =================== System: Other ===================
# The path where Kibana stores persistent data not saved in Elasticsearch. Defaults to data
#path.data: data
# Specifies the host for enterpriseSearch
enterpriseSearch.host: https://192.168.1.54:3002
# Specifies the path where Kibana creates the process ID file.
pid.file: /run/kibana/kibana.pid
# This section was automatically generated during setup.
logging.appenders.file.type: file
logging.appenders.file.fileName: /var/log/kibana/kibana.log
logging.appenders.file.layout.type: json
logging.root.appenders: [default, file]
#pid.file: /run/kibana/kibana.pid
#elasticsearch.hosts: ['https://192.168.1.60:9200']
elasticsearch.serviceAccountToken: randomToken
elasticsearch.ssl.certificateAuthorities: [/var/lib/kibana/ca_1704244407180.crt]
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: ['https://192.168.1.60:9200','https://192.168.1.43:9200','https://192.168.1.61:9200','https://192.168.1.63:9200'], ca_trusted_fingerprint: randomFingerprint}]
enterprise-search.yml:
# ---------------------------------- Secrets ----------------------------------
#
# Encryption keys to protect your application secrets. This field is required.
#
secret_management.encryption_keys: [randomEncryptionKeys]
#
#
------------------------------- Elasticsearch -------------------------------
#
# Enterprise Search needs one-time permission to alter Elasticsearch settings.
# Ensure the Elasticsearch settings are correct, then set the following to
# true. Or, adjust Elasticsearch's config/elasticsearch.yml instead.
# See README.md for more details.
#
allow_es_settings_modification: true
#
# Elasticsearch full cluster URL:
#
elasticsearch.host: ['https://192.168.1.60:9200','https://192.168.1.43:9200','https://192.168.1.61:9200','https://192.168.1.63:9200']
#
# Elasticsearch credentials:
#
#elasticsearch.username: elastic
#elasticsearch.password: changeme
#
# Alternatively, use a service token to connect to Elasticsearch:
#
# SSL communication with Elasticsearch enabled or not.
#
elasticsearch.ssl.enabled: true
#
# Path to client certificate file to use for client-side validation from Elasticsearch.
#
#elasticsearch.ssl.certificate: /usr/share/enterprise-search/config/certs/http_ca.crt
#
# Path to the keystore that contains Certificate Authorities for Elasticsearch SSL certificate.
#
elasticsearch.ssl.certificate_authority: /usr/share/enterprise-search/config/certs/http_ca.crt
#
# Path to the key file for the client certificate.
#
#elasticsearch.ssl.key:
#
# Passphrase for the above key file.
#
#elasticsearch.ssl.key_passphrase:
#
# true to verify SSL certificate from Elasticsearch, false otherwise.
#
#elasticsearch.ssl.verify: true
elasticsearch.service_account_token: randomESToken
#
# Elasticsearch SSL settings:
#
# SSL communication with Elasticsearch enabled or not.
#
elasticsearch.ssl.enabled: true
#
# Path to client certificate file to use for client-side validation from Elasticsearch.
#
#elasticsearch.ssl.certificate: /usr/share/enterprise-search/config/certs/http_ca.crt
#
# Path to the keystore that contains Certificate Authorities for Elasticsearch SSL certificate.
#
elasticsearch.ssl.certificate_authority: /usr/share/enterprise-search/config/certs/http_ca.crt
#
# Path to the key file for the client certificate.
#
#elasticsearch.ssl.key:
#
# Passphrase for the above key file.
#
#elasticsearch.ssl.key_passphrase:
#
# true to verify SSL certificate from Elasticsearch, false otherwise.
#
#elasticsearch.ssl.verify: true
#
# Elasticsearch startup retry:
#
#elasticsearch.startup_retry.enabled: true
#elasticsearch.startup_retry.interval: 5 # seconds
#elasticsearch.startup_retry.fail_after: 600 # seconds
#
# ---------------------------------- Kibana -----------------------------------
#
# Define the URL at which Enterprise Search can reach Kibana.
# Defaults to http://localhost:5601 for testing purposes.
#
#kibana.host: http://localhost:5601
#
# Define the exposed URL at which users can reach Kibana.
# Defaults to the kibana.host setting value if not set.
#
kibana.external_url: https://192.168.1.54:5601
# ------------------------------- Hosting & Network ---------------------------
#
# Define the exposed URL at which users will reach Enterprise Search.
# Defaults to localhost:3002 for testing purposes.
# Most cases will use one of:
#
# * An IP: http://255.255.255.255
# * A FQDN: http://example.com
# * Shortname defined via /etc/hosts: http://ent-search.search
#
ent_search.external_url: https://192.168.1.54:3002
#
# Web application listen_host and listen_port.
# Your application will run on this host and port.
#
# * ent_search.listen_host: Must be a valid IPv4 or IPv6 address.
# * ent_search.listen_port: Must be a valid port number (1-65535).
#
#ent_search.listen_host: 127.0.0.1
#ent_search.listen_port: 3002
# ---------------------------------- TLS/SSL ----------------------------------
#
# Configure TLS/SSL encryption.
#
ent_search.ssl.enabled: true
#ent_search.ssl.keystore.path:
#ent_search.ssl.keystore.password:
#ent_search.ssl.keystore.key_password:
#ent_search.ssl.redirect_http_from_port:
#