I have tried various ways to install let's encrypt with my Elasticsearch cluster, but have been unable to do so.
First method
error displayed
root@elk2:~# /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
08:04:56.735 [main] WARN org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [91.121.226.53]; the server provided a certificate with subject name [CN=elk2.endesarrollo.ovh], fingerprint [c6223f7d523066074fe362f68b727c6881c61d05], keyUsage [digitalSignature, keyEncipherment] and extendedKeyUsage [serverAuth, clientAuth]; the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate has subject alternative names [DNS:elk2.endesarrollo.ovh]; the certificate is issued by [CN=R3,O=Let's Encrypt,C=US]; the certificate is signed by (subject [CN=R3,O=Let's Encrypt,C=US] fingerprint [a053375bfe84e8b748782c7cee15827a6af5a405] {trusted issuer}) signed by (subject [CN=ISRG Root X1,O=Internet Security Research Group,C=US] fingerprint [933c6ddee95c9c41a40f9f50493d82be03ad87bf]) which is issued by [CN=DST Root CA X3,O=Digital Signature Trust Co.] (but that issuer certificate was not provided in the chain); this ssl context ([xpack.security.http.ssl (with trust configuration: PEM-trust{/etc/elasticsearch/certs/chain.pem})]) is not configured to trust that issuer, it only trusts the issuer [CN=R3,O=Let's Encrypt,C=US] with fingerprint [a053375bfe84e8b748782c7cee15827a6af5a405]
elasticsearch.yml
xpack.security.http.ssl:
enabled: true
key: certs/privkey.pem
certificate: certs/fullchain.pem
certificate_authorities: ["certs/chain.pem"]
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
key: certs/privkey.pem
certificate: certs/fullchain.pem
certificate_authorities: ["certs/chain.pem"]
Certificates on dir are the latest let's encrypt certificate issues today. Include lets-encrypt-r3.pem
chain obtained on Intermediate Certificates LetsEncript for some tests.
I use a hook on let's encrypt for a run after any renewal of let's encrypt and put certificates in the correct place with the correct permissions
/etc/letsencrypt/renewal-hooks/deploy/elastic-deploy.sh
#!/bin/sh
domain=elk2.mydomain.tld
cert_dir=/etc/elasticsearch/certs/
user=elasticsearch:elasticsearch
cp /etc/letsencrypt/live/$domain/cert.pem $cert_dir
cp /etc/letsencrypt/live/$domain/privkey.pem $cert_dir
cp /etc/letsencrypt/live/$domain/fullchain.pem $cert_dir
cp /etc/letsencrypt/live/$domain/chain.pem $cert_dir
# Only keep 1st certificate (C=US/O=Let's Encrypt/CN=R3), that is, get rid
# of 2nd certificate "ISRG Root X1" issued by "DST Root CA X3" which is expired.
# https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
# Tries also with a comment below
openssl x509 -in /etc/letsencrypt/live/$domain/chain.pem > $cert_dir/chain.pem
# Also tries without openssl action for this problem
#openssl x509 -in /etc/letsencrypt/live/$domain/chain.pem > $cert_dir/chain.pem
chown $user $cert_dir/*.pem
chmod 600 $cert_dir/*.pem
root@elk2:~# ls -lisahSt /etc/elasticsearch/certs/
total 52K
17854237 0 drwxr-s--- 4 root elasticsearch 279 Oct 15 08:04 ..
51444596 4.0K -rw------- 1 elasticsearch elasticsearch 1.8K Oct 15 07:56 chain.pem
51444605 8.0K -rw------- 1 elasticsearch elasticsearch 5.5K Oct 15 07:56 fullchain.pem
51444597 4.0K -rw------- 1 elasticsearch elasticsearch 1.9K Oct 15 07:56 cert.pem
51444600 4.0K -rw------- 1 elasticsearch elasticsearch 1.7K Oct 15 07:56 privkey.pem
51445696 4.0K -rw------- 1 elasticsearch elasticsearch 1.8K Oct 15 07:22 lets-encrypt-r3.pem
If change certificate_authorities: ["certs/lets-encrypt-r3.pem"]
for use chain of Lets encrypt get other error.
07:58:55.114 [main] WARN org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [91.121.226.53]; the server provided a certificate with subject name [CN=elk2.endesarrollo.ovh], fingerprint [c6223f7d523066074fe362f68b727c6881c61d05], keyUsage [digitalSignature, keyEncipherment] and extendedKeyUsage [serverAuth, clientAuth]; the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate has subject alternative names [DNS:elk2.endesarrollo.ovh]; the certificate is issued by [CN=R3,O=Let's Encrypt,C=US]; the certificate is signed by (subject [CN=R3,O=Let's Encrypt,C=US] fingerprint [a053375bfe84e8b748782c7cee15827a6af5a405] {trusted issuer}) signed by (subject [CN=ISRG Root X1,O=Internet Security Research Group,C=US] fingerprint [933c6ddee95c9c41a40f9f50493d82be03ad87bf]) which is issued by [CN=DST Root CA X3,O=Digital Signature Trust Co.] (but that issuer certificate was not provided in the chain); this ssl context ([xpack.security.http.ssl (with trust configuration: PEM-trust{/etc/elasticsearch/certs/lets-encrypt-r3.pem})]) is not configured to trust that issuer, it only trusts the issuer [CN=R3,O=Let's Encrypt,C=US] with fingerprint [a053375bfe84e8b748782c7cee15827a6af5a405]
Also I have tried import to java /usr/share/elasticsearch/jdk/bin/keytool -importcert -alias startssl -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts -storepass changeit -file lets-encrypt-r3.der
But the same problem.
Any ideas?