Kibana HTTPS - Impossible to use verification mode "full" for docker services?

Docker services use their internal DNS to resolve "elasticsearch", so I can point kibana at "https://elasticsearch:9200".

The problem is, I have to set verification mode to "certificate" because the https certificate is for my domain, not for "elasticsearch".

I googled "subject alternative names" and it doesn't look like I can generate a certificate (I'm using letsencrypt) for "elasticsearch" - because anyone could do that!

So, if I'm using docker, and dns resolution is via docker, must we always use certificate instead of full? Or is there something else I'm missing?

It seems so. As I can see, it's the recommended way to use self-signed certificates
https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-tls-docker.html

Is it possible to use both a real certificate + key so it resolves to a public domain name, and a self-signed certificate + key with CA that signed it (as the docs show), so that I can have the best of both worlds?

Publicly I would be able to visit this on https by it's domain name, and then Kibana could use full verification mode when talking to Elasticsearch internally within docker.

Yes, you can configure server.ssl with your real cert and use a self-signed cert for elasticsearch.ssl. Would it work for you?

I'm not sure. If I add: verificationmode and authorities, wouldn't these options be for everything?

What would the config look like having both:

  • verification mode "full" with no authorities (for the real cert)
  • verification mode "certificate" with the self-signing authority (for the self-signed cert)
  • specifying separate key + cert pem paths for both

I'm not sure how I can do that with the config.

If I add: verificationmode and authorities , wouldn't these options be for everything?

no, server.ssl and elasticsearch.ssl are different config options. You cannot set verificationmode for server.ssl and have to use "real" certificate:

server.ssl.enabled: true
server.ssl.key: ...
server.ssl.certificate: ...
server.ssl. certificateAuthorities: ...

you can use self-signed certificate for elasticsearch.ssl tho:

elasticsearch.ssl.certificateAuthorities: ...
elasticsearch.ssl.verificationMode: "certificate"