Let's encrypt

Honestabe · August 12, 2024, 10:20pm

i have it working with kibana but cant seem to get it to work with my elastic cluster. I succesfuly mounted the share to my wildcard cert and I symlinked the privetkey.pem and fullchain .pem. i used

xpack.security.http.ssl:
  enabled: true
  key: name\of\pem
  certificate: name\of\pem

when I start the node with the new config the node would not join the cluster so i reverted back to using the keystore.path. I was doing this via a rolling restart. currently I am using the same cert for both trasport.ssl and http.ssl.

I have a few questions.

Is the rolling restart the issue?
do i need to remove the xpack.security.http.ssl.keystore.secure_password with the bin/elasticsearch-keystore comand?
Would that cause problems for the transport.ssl keystore?

i noticed that I was getting the following erros for mulitple ports.

caught exception while handling client http traffic, closing connection Netty4HttpChannel{l

Received fatal alert: bad_certificate
	at io.netty.codec

I am not sure why elastic is trying to communicate those ports. is there a way to figure out why it is?

TimV · August 13, 2024, 2:02am

You should not do that.
The trust chain for transport.ssl is what controls which nodes are permitted to join your cluster. If you configure it to use a public CA then you make it possible for outside nodes to join your cluster. You should use a dedicated CA for your cluster.

This is almost certainly due to trying to switch the transport SSL configuration on a running cluster. That's possible to do, but you need to follow precise steps.

If you just try to configure http.ssl nodes should be fine to join the cluster.

Honestabe:

i noticed that I was getting the following erros for mulitple ports.
caught exception while handling client http traffic, closing connection Netty4HttpChannel{l

Received fatal alert: bad_certificate
	at io.netty.codec

It sounds like you have clients that are trying to connect to your cluster, but are not configured to trust the let's encrypt CA. You will need to work out what those clients are - the log should include IP addresses that can help you
track them down.

Honestabe · August 13, 2024, 4:13pm

you are right. the http.ssl is different than the transport.ssl.
but they where both in the keystore. I made no changes to the transport.ssl sorry for the confusion. they all still have the same transport.ssl they only differences was that one had the let encrypt cert for the http

It sounds like you have clients that are trying to connect to your cluster, but are not configured to trust the let's encrypt CA. You will need to work out what those clients are - the log should include IP addresses that can help you
track them down.

it all going to the fleetserver

Topic		Replies	Views
Secure connection on HTTP layer Elasticsearch elastic-stack-security	14	7040	September 3, 2019
Client did not trust this server's certificate, closing connection Netty4TcpChannel Elasticsearch elastic-stack-security	19	35655	July 9, 2019
[need help] Securing cluster's node communication with let's encrypt, nodes in different machines in the cloud Elasticsearch elastic-stack-security	2	74	July 9, 2024
How to config kibana if xpack.security.http.ssl.enabled is false Kibana elastic-stack-security , docker	8	4294	July 19, 2022
Elasticsearch node HTTP layer SSL configuration Keystore doesn't contain any PrivateKey entries where the associated certificate is a CA certificate Elasticsearch elastic-stack-security	5	4905	March 18, 2023

Let's encrypt

Related Topics