I tried generating certificates using the openssl command,
below is the steps I tried,
ubuntu@ip-172-16-27-109:~/KubernetesCluster/elasticsearch7/helm-charts$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /home/ubuntu/KubernetesCluster/elasticsearch7/helm-charts/elastic.key -out /home/ubuntu/KubernetesCluster/elasticsearch7/helm-charts/elastic.crt
Generating a 2048 bit RSA private key
writing new private key to '/home/ubuntu/KubernetesCluster/elasticsearch7/helm-charts/elastic.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Bangalore
Locality Name (eg, city) :Karnataka
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Microland
Organizational Unit Name (eg, section) :Automation
Common Name (e.g. server FQDN or YOUR name) :security-master
Email Address :firstname.lastname@example.org
I gave the Common Name as "security-master" because the name of elasticsearch service as same then I tried to converting to .p12 format by using the below steps,
- I copied both key & crt files into the txt file and execute the below command
openssl pkcs12 -export -in elastic.txt -out elastic-certificates.p12
Now I have created Kubernetes secrets for authentication credentials and certificates and then executed the below helm command to setup elasticsearch with security enabled,
helm upgrade --namespace intelligeni-2 --wait --timeout=600 --install --values /home/ubuntu/KubernetesCluster/elasticsearch7/helm-charts/elasticsearch/examples/security/security.yml elasticsearch /home/ubuntu/KubernetesCluster/elasticsearch7/helm-charts/elasticsearch
Below is the helm status elasticsearch
ubuntu@ip-172-16-27-109:~$ helm status elasticsearch
LAST DEPLOYED: Wed Jun 12 09:57:59 2019
NAME READY STATUS RESTARTS AGE
security-master-0 2/2 Running 0 1d
security-master-1 2/2 Running 0 1d
security-master-2 2/2 Running 0 1d
1. Watch all cluster members come up.
$ kubectl get pods --namespace=intelligeni-2 -l app=security-master -w
2. Test cluster health using Helm test.
$ helm test elasticsearch
I went inside one of the elasticsearch pod kubectl exec -it security-master-0 bash -n and to check the cluster health with the authentication,
[root@security-master-0 elasticsearch]# curl -u elastic:changeme http://security-master:9200/_cluster/health?pretty=true
curl: (52) Empty reply from server
[root@security-master-0 elasticsearch]# curl -u elastic:changeme http://localhost:9200
curl: (52) Empty reply from server
Can you please tell me why the response is showing as empty reply from server?
[root@security-master-0 elasticsearch]# curl -u elastic:changeme https://security-master:9200/_cluster/health?pretty=true
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
If I change the protocol to https I am getting the above response but now sure why certificate verification is failed?
[root@security-master-0 elasticsearch]# curl -k -u elastic:changeme https://security-master:9200/_cluster/health?pretty=true
"cluster_name" : "security",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 3,
"number_of_data_nodes" : 3,
"active_primary_shards" : 3,
"active_shards" : 6,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
But if i add -k or --insecure I can able to verify the cluster health with the authentication but still I think certificate verification is not doing properly. Is it because of self signed certificate creation?
Please correct me if I am doing anything wrong and let me know your thoughts.