Hi all!!
I have problem when try to configure ssl and https for Elasticsearch, i have Elasticsearch container in my localhost. I use "docker-compose up -d" for start Elasticsearch container and exec to it by root user. (I use Elasticsearch 8.1.3 image)
After that i following 2 command to create CA Certificate
./bin/elasticsearch-certutil ca --pem
./bin/elasticsearch-certutil ca
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --pem
I not use password for CA and cert. and i unzip "certificate-bundle.zip" and "elastic-stack-ca.zip" and i have "ca" folder and "instance" folder. Inside "ca" folder i have "ca.crt" and "ca.key", inside "instance" folder i have "instance.crt" and "instance.key".
I copy "ca.crt", "ca.key", "instance.crt, "instance.key" file to /etc/Elasticsearch/ path by command:
mkdir /etc/elasticsearch
cp -r ca/ca.* /etc/elasticsearch/
chmod 644 /etc/elasticsearch/ca.*
cp -r instance/instance.* /etc/elasticsearch/
chmod 644 /etc/elasticsearch/instance.*
(Note that: I don't know why in my Elasticsearch container don't have defalt /etc/Elasticsearch path)
After 4 command i have:
and here is my Elasticsearch.yml file:
---
## Default Elasticsearch configuration from Elasticsearch base image.
## https://github.com/elastic/elasticsearch/blob/master/distribution/docker/src/docker/config/elasticsearch.yml
#
cluster.name: "docker-cluster"
network.host: 0.0.0.0
## X-Pack settings
## see https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html
#
xpack.license.self_generated.type: basic
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: /etc/elasticsearch/instance.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/instance.crt
xpack.security.transport.ssl.certificate_authorities: /etc/elasticsearch/ca/ca.crt
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/elasticsearch/instance.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/instance.crt
xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/ca/ca.crt
I restart my Elasticsearch container and see log by command "docker logs -f Elasticsearch" and got error:
failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured PEM certificate_authorities [/etc/elasticsearch/ca/ca.crt] because access to read the file is blocked; SSL resources should be placed in the [/usr/share/elasticsearch/config] directory
Likely root cause: java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/elasticsearch/ca/ca.crt" "read")
Do you have any suggestions for me? I'm new in Elasticsearch
Thanks for support me