Hi all,
In this video-
the video summary says that adding Letsencrypt certs means that other nodes with publicly signed certs can connect, so use a firewall.
I am super confused about this - is it a security issue or not?
I plan to only have a single node, but the video comment also seems to conflate 'node' with 'client' so I'm not sure what's going on.
I've set up Elastic Fleet a couple of times and it seems to be really difficult to retrofit Letsencrypt certs into the stack, ie. 'for testing only' use self signed certs (that path is well described), but production using 'real' (LE) certs...
Here's the text from the video-
If you use publicly signed SSL certificates for
xpack.security.transport.ssl
in elasticsearch.yml, like we did in our video (instead of the auto generated SSL certificates), make sure you use a firewall to white list only clients you trust. This statement applies to just your elasticsearch instances.This is because
xpack.security.transport.ssl
is meant to encrypt traffic for node cluster communication. However, elasticsearch designed their transport security with the intention of using their own auto-generated self-signed certificates, NOT publicly signed certificates. Elasticsearch authenticates other nodes based on these autogenerated self-signed certificates. If you use publicly signed certificates (eg. Let's Encrypt, Verisign, Sectigo, etc...), then any other node in the world can join your cluster without any kind of authentication.