Ok @DataStorageMuse follow me on this (I am not the cert expert ... but I can get around)
So The problem is most likely that that the http.p12
cert does not contain the external IP address that you are using... in fact I am sure it does not
xpack.security.http.ssl:
enabled: true
keystore.path: certs/http.p12
you can check with...
openssl s_client -connect <yourexternalip>:9200 < /dev/null | openssl x509 -noout -text | grep -C3 -i dns
and what you are going to get is... something like
epth=1 CN = Elasticsearch security auto-configuration HTTP CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
poll error keyid:D7:2D:86:BF:E7:C5:B6:20:67:20:40:5D:8F:AF:B3:85:2E:DF:B1:FC
X509v3 Subject Alternative Name:
IP Address:FE80:0:0:0:4001:AFF:FEA8:C, DNS:localhost, IP Address:0:0:0:0:0:0:0:1, IP Address:127.0.0.1, IP Address:10.168.0.12, DNS:stephenb-es-8-test
X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
Note Subject Alternative Name... name all the IP addresses they are all the local ones... not that public IP... and the hostname ... That is why the cert fails externally... period ... will never work via the public IP unless you use --insecure
or verification_mode : none
Now you ask... that's all great Mr @stephenb but how do I fix it ....
Well you would need to generate a cert that DOES include that external address...
You could create we real cert through lets encrypt etc with real DNS
Or you can use the elasticsearch self signing tools
Take a look at this very detailed post on how to do this manually ... or you can piece it together with this and this
THE KEY IS when you get to the part that says
Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
10.168.0.116
127.0.0.1
Make sure you add that external address... as well
You will to then make sure you use the new CA in all the right places and the correct certs...
Ohhh BTW A complete cheat is in your /etc/host set the hostname to that public ip and it will work too Total Hack but a good check..
Then this worked for me
curl -v --cacert ./http_ca.crt -u elastic:password https://stephenb-es-8-test:9200