Let's encrypt

Honestabe · August 12, 2024, 10:20pm

i have it working with kibana but cant seem to get it to work with my elastic cluster. I succesfuly mounted the share to my wildcard cert and I symlinked the privetkey.pem and fullchain .pem. i used

xpack.security.http.ssl:
  enabled: true
  key: name\of\pem
  certificate: name\of\pem

when I start the node with the new config the node would not join the cluster so i reverted back to using the keystore.path. I was doing this via a rolling restart. currently I am using the same cert for both trasport.ssl and http.ssl.

I have a few questions.

Is the rolling restart the issue?
do i need to remove the xpack.security.http.ssl.keystore.secure_password with the bin/elasticsearch-keystore comand?
Would that cause problems for the transport.ssl keystore?

i noticed that I was getting the following erros for mulitple ports.

caught exception while handling client http traffic, closing connection Netty4HttpChannel{l

Received fatal alert: bad_certificate
	at io.netty.codec

I am not sure why elastic is trying to communicate those ports. is there a way to figure out why it is?

TimV · August 13, 2024, 2:02am

You should not do that.
The trust chain for transport.ssl is what controls which nodes are permitted to join your cluster. If you configure it to use a public CA then you make it possible for outside nodes to join your cluster. You should use a dedicated CA for your cluster.

This is almost certainly due to trying to switch the transport SSL configuration on a running cluster. That's possible to do, but you need to follow precise steps.

If you just try to configure http.ssl nodes should be fine to join the cluster.

Honestabe:

i noticed that I was getting the following erros for mulitple ports.
caught exception while handling client http traffic, closing connection Netty4HttpChannel{l

Received fatal alert: bad_certificate
	at io.netty.codec

It sounds like you have clients that are trying to connect to your cluster, but are not configured to trust the let's encrypt CA. You will need to work out what those clients are - the log should include IP addresses that can help you
track them down.

Honestabe · August 13, 2024, 4:13pm

you are right. the http.ssl is different than the transport.ssl.
but they where both in the keystore. I made no changes to the transport.ssl sorry for the confusion. they all still have the same transport.ssl they only differences was that one had the let encrypt cert for the http

It sounds like you have clients that are trying to connect to your cluster, but are not configured to trust the let's encrypt CA. You will need to work out what those clients are - the log should include IP addresses that can help you
track them down.

it all going to the fleetserver

Topic		Replies	Views
Elasticsearch https secure communication Elasticsearch elastic-stack-security	4	531	March 11, 2020
Need help in - TLS in elastic cluster settings Elasticsearch elastic-stack-security	2	586	December 30, 2018
Connecting to TLS/SSL secured elastic cluster through transport client Elasticsearch elastic-stack-security	11	2453	July 21, 2019
Encrypt Communication b/w kibana and elasticsearch Elasticsearch elastic-stack-security	14	938	March 30, 2021
Add a new Elasticsearch to TLS/SSL cluster Elasticsearch	4	477	November 22, 2023

Let's encrypt

Related topics