You have two options:
- Change the server to use a certificate chain that the client already trusts
- Change the client so that it trusts the server's generated certificate.
What you can't do is change something on the server in order to make the client trust the server's existing certificate.
That's fundamental to the security of TLS - if the client doesn't trust the server's certificate then the server can't make the client do so. The client is in charge of who they trust - the server either needs to become trustworthy, or you need to change the client.
Option 1: Change the server certificate.
Elasticsearch auto-configuration generates its own CA (Certificate Authority), and then generates a server certificate for each node (that is signed by that CA).
This means that no existing client knows about your custom CA, and they don't trust it.
It has to be this way because there is (often) nothing trustworthy about a random Elasticsearch node running somewhere on the internet. I can configure my Elasticsearch node so that claims to be www.supermegabank.com
, and security auto-configuration will generate a certificate for that address. But no client should actually (by default) trust that my server really does belong to Super Mega Bank. And the server can't make the client trust it because that would defeat one of the purposes of certificates - to know that you're really talking to the right server.
However, there are ways you can get a trusted certificate for your server.
- Using an automated certificate issuer like Let's Encrypt
- Using a commercial certificate issuer
- Using a corporate certificate issuer
Each of those require that you have a real domain name for your server (but in the last case if doesn't have to be a public domain name).
If you're inside a corporate environment, talk to your internal team about how to get a corporate issued certificate for your nodes.
Otherwise, if you have a domain name that you control, and can make changes to, then look at https://letsencrypt.org/ and read through their instructions.
Option 2: Change the client configuration
This depends on what the client is. Unfortunately there are no universal standards, so you might have to do different things for different clients.
Official Elasticsearch language clients support a "CA fingerprint". When you configured Elasticsearch, the fingerprint should have been printed to the console, but you can also generate it with tools like openssl
Most clients will have some way of configuring a trusted Certificate Authority. The PEM formatted certificate for the cluster's certificate authority will be in your Elasticsearch configuration directory, in a file named http_ca.crt
.
You will need to consult with your client tools about how to configure them to use that.
For example, curl
supports a --cacert
option.