Explanation for potential security issue?

Hi all,
In this video-

the video summary says that adding Letsencrypt certs means that other nodes with publicly signed certs can connect, so use a firewall.
I am super confused about this - is it a security issue or not?

I plan to only have a single node, but the video comment also seems to conflate 'node' with 'client' so I'm not sure what's going on.
I've set up Elastic Fleet a couple of times and it seems to be really difficult to retrofit Letsencrypt certs into the stack, ie. 'for testing only' use self signed certs (that path is well described), but production using 'real' (LE) certs...

Here's the text from the video-

If you use publicly signed SSL certificates for xpack.security.transport.ssl in elasticsearch.yml, like we did in our video (instead of the auto generated SSL certificates), make sure you use a firewall to white list only clients you trust. This statement applies to just your elasticsearch instances.

This is because xpack.security.transport.ssl is meant to encrypt traffic for node cluster communication. However, elasticsearch designed their transport security with the intention of using their own auto-generated self-signed certificates, NOT publicly signed certificates. Elasticsearch authenticates other nodes based on these autogenerated self-signed certificates. If you use publicly signed certificates (eg. Let's Encrypt, Verisign, Sectigo, etc...), then any other node in the world can join your cluster without any kind of authentication.

I haven't watched the video, but the text you quoted is accurate. Note that this is by design:

Don't use certificates from a public CA for transport security. See these docs for more information:

For the transport layer, we recommend using a separate, dedicated CA instead of an existing, possibly shared CA so that node membership is tightly controlled.

thanks for the quick reply @DavidTurner
I've read that doc a couple of times but it looks like I need to understand it better, cheers

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.