Good afternoon, we are planning on deploying Elastic search with third party publicly signed certificates from Lets Encrypt and i have been trying to find a way of replacing the certificates that are provided by the Elasticsearch utility, are there any specific steps required like adding them to the keystore in order to replace the ones generated by the utility with the publicly signed ones?
TLS can be configured for ES on both the transport interface (node-to-node) and HTTP interface (external client to ES node). Which one do you plan to replace with publicly signed certificates?
We do not recommend using publicly signed certificates for the transport interface because it possibly means anyone else can obtain a cert from the public CA, spin up a node and join your cluster.
If you want to replace the certs used for the HTTP interface, you need to change the relevant settings listed on this page.
Hi Yang, thank you for the information, we did not originally plan to do this, however when we deployed it with the certificates generated by the Elasticsearch certificate utility, and deployed the fleet server in a production setup. however no data was coming in until we set the ssl.verification_mode: none for output settings, and i am not sure if that is by design or not.
If this is for Fleet server to connect, it is on the HTTP interface which is OK to use certs signed by public CAs.
however no data was coming in until we set the ssl.verification_mode: none for output settings, and i am not sure if that is by design or not.
No, it is defintiely not by design. Having
none as verification mode basically disables TLS which is a high risk. You should fix that as soon as possible. For certificates generated by Elasticsearch certificate utility to work between Fleet-server and Elasticsearch, you need configure the necessary trust. Have you read this documentation page?