I've been stuck for a few days tying to enable HTTPS for public access from my elasticsearch javascript client. My elasticsearch server is running on the host machine.
The server is only reachable using HTTP:
curl -k -u "elastic:password" http://193.100.00.00:9200
The problem initially was that I don't have the password to the /etc/elasticsearch/certs/http_ca.crt file
So I can't use it in my elasticsearch.yml file when enabling ssl configuration.
xpack.security.http.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.http.ssl.keystore.password: <your-keystore-password>
Here is 1 solution I did but it's NOT CORRECT because I get "detected self-signed certificate in chain" error when trying to connect from the client:
To manually enable HTTPS, I followed the following steps:
-
Generate a self-signed CA:
sudo /usr/share/elasticsearch/bin/elasticsearch-certutil ca
-
MV file to certs directory:
mv /usr/share/elasticsearch/elastic-stack-ca.p12 /etc/elasticsearch/certs/
-
Generate SSL/TCL certs:
sudo /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca /etc/elasticsearch/certs/elastic-stack-ca.p12
-
Set file permissions:
sudo chown elasticsearch:elasticsearch /etc/elasticsearch/certs/elastic-certificates.p12 sudo chmod 600 /etc/elasticsearch/certs/elastic-certificates.p12
-
Add the following config the elasticsearch.yml file:
xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12 xpack.security.http.ssl.keystore.password: <your-keystore-password> xpack.security.http.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12 xpack.security.http.ssl.truststore.password: <your-truststore-password>
With this config, the command will work correctly:
curl -k -u "elastic:password" https://193.100.00.00:9200
But from client, I get: "detected self-signed certificate in chain"
I've tried generating a certificate from a trusted CA (let's encrypt), but this solution doesn't make sense to me because I can't maintain auto-renewal through certbot cause I have to:
- Convert to p12 format for the elasticsearch.yml file
- Copy the CA to my client parameter
I'm not good with this stuff, so I'm sure i'm over complicating it. But if someone can really just tell me what to do I would greatly appreciate it. There's too many documents with bits and pieces of information and I feel like there's probably a straight-forward answer to enable HTTPS on an elastic-search server to connect with the elasticsearch javascript client using ssl.
Any help would be great. Thanks!