Hello!
I have some trouble with a local ES-Cluster in relation to security features.
I configured a simple three-node master/data (node.master|node.data:true) cluster. The cluster is up, running and 'green'.
After that, I enabled 'xpack.security.enabled' and restarted the whole cluster and running
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto -u "http://localhost:9201"
Afterwards a
curl -k -u elastic 'http://localhost:9201/_cat/nodes?v'
works with the generated password for 'elastic'. The whole cluster is up...
Next step was to generate certificates and keys using elasticsearch-certutil
... After configuring TLS in the configs and restarted the cluster.
Now i get (with the password used above that worked)
curl -k 'https://localhost:9201/_cat/nodes?v' -u elastic --cacert /etc/elasticsearch/certs/ca.crt'
It gives:
{"error":{"root_cause":[{"type":"security_exception","reason":"failed to authenticate user [elastic]","header":{"WWW-Authenticate":["Bearer realm=\"security\"","ApiKey","Basic realm=\"security\" charset=\"UTF-8\""]}}],"type":"security_exception","reason":"failed to authenticate user [elastic]","header":{"WWW-Authenticate":["Bearer realm=\"security\"","ApiKey","Basic realm=\"security\" charset=\"UTF-8\""]}},"status":401}
Can anyone give me a hint what i'm doing wrong?
elasticsearch.yml
cluster.name: test-cluster
node.name: ${ES_NODE_NAME}
node.data: ${ES_NODE_DATA}
node.master: ${ES_NODE_MASTER}
path.data: ${ES_PATH_DATA}
path.logs: ${ES_PATH_LOGS}
http.port: ${ES_HTTP_PORT}
transport.tcp.port: ${ES_TCP_PORT}
xpack.license.self_generated.type: basic
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/elasticsearch/certs/${ES_NODE_NAME}.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/${ES_NODE_NAME}.crt
xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/certs/ca.crt
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/${ES_NODE_NAME}.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/${ES_NODE_NAME}.crt
xpack.security.transport.ssl.certificate_authorities: /etc/elasticsearch/certs/ca.crt
discovery.zen.minimum_master_nodes : 2
discovery.seed_hosts: ["tick.local:9301", "trick.local:9302", "track.local:9303"]
cluster.initial_master_nodes: ["tick.local:9301", "trick.local:9302", "track.local:9303"]
the three env-files in /etc/sysconfig7
#set env vars
#
PID_DIR="/var/run/tick"
ES_NODE_NAME="tick"
ES_NODE_MASTER="true"
ES_NODE_DATA="true"
ES_PATH_DATA="/mnt/elasticsearch/tick"
ES_PATH_LOGS="/var/log/elasticsearch/tick/"
ES_HTTP_PORT=9201
ES_TCP_PORT=9301
>#set env vars
>#
PID_DIR="/var/run/track"
ES_NODE_NAME="track"
ES_NODE_MASTER="true"
ES_NODE_DATA="true"
ES_PATH_DATA="/mnt/elasticsearch/track"
ES_PATH_LOGS="/var/log/elasticsearch/track/"
ES_HTTP_PORT=9203
ES_TCP_PORT=9303
>
#set env vars
#
PID_DIR="/var/run/trick"
ES_NODE_NAME="trick"
ES_NODE_MASTER="true"
ES_NODE_DATA="true"
ES_PATH_DATA="/mnt/elasticsearch/trick"
ES_PATH_LOGS="/var/log/elasticsearch/trick/"
ES_HTTP_PORT=9202
ES_TCP_PORT=9302
Regards
Stephan