Local Elasticsearch 7.6.x Cluster with security features enabled

Hello!

I have some trouble with a local ES-Cluster in relation to security features.
I configured a simple three-node master/data (node.master|node.data:true) cluster. The cluster is up, running and 'green'.

After that, I enabled 'xpack.security.enabled' and restarted the whole cluster and running

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto -u "http://localhost:9201"

Afterwards a

curl -k -u elastic 'http://localhost:9201/_cat/nodes?v'

works with the generated password for 'elastic'. The whole cluster is up...

Next step was to generate certificates and keys using elasticsearch-certutil... After configuring TLS in the configs and restarted the cluster.

Now i get (with the password used above that worked)

curl -k  'https://localhost:9201/_cat/nodes?v' -u elastic --cacert /etc/elasticsearch/certs/ca.crt'

It gives:

{"error":{"root_cause":[{"type":"security_exception","reason":"failed to authenticate user [elastic]","header":{"WWW-Authenticate":["Bearer realm=\"security\"","ApiKey","Basic realm=\"security\" charset=\"UTF-8\""]}}],"type":"security_exception","reason":"failed to authenticate user [elastic]","header":{"WWW-Authenticate":["Bearer realm=\"security\"","ApiKey","Basic realm=\"security\" charset=\"UTF-8\""]}},"status":401}

Can anyone give me a hint what i'm doing wrong?

elasticsearch.yml

cluster.name: test-cluster
node.name: ${ES_NODE_NAME}
node.data: ${ES_NODE_DATA}
node.master: ${ES_NODE_MASTER}

path.data: ${ES_PATH_DATA}
path.logs: ${ES_PATH_LOGS}

http.port: ${ES_HTTP_PORT}
transport.tcp.port: ${ES_TCP_PORT}

xpack.license.self_generated.type: basic

xpack.security.enabled: true

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/elasticsearch/certs/${ES_NODE_NAME}.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/${ES_NODE_NAME}.crt
xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/certs/ca.crt

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/${ES_NODE_NAME}.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/${ES_NODE_NAME}.crt
xpack.security.transport.ssl.certificate_authorities: /etc/elasticsearch/certs/ca.crt

discovery.zen.minimum_master_nodes : 2
discovery.seed_hosts: ["tick.local:9301", "trick.local:9302", "track.local:9303"]
cluster.initial_master_nodes: ["tick.local:9301", "trick.local:9302", "track.local:9303"]

the three env-files in /etc/sysconfig7

#set env vars
#
PID_DIR="/var/run/tick"

ES_NODE_NAME="tick"
ES_NODE_MASTER="true"
ES_NODE_DATA="true"

ES_PATH_DATA="/mnt/elasticsearch/tick"
ES_PATH_LOGS="/var/log/elasticsearch/tick/"

ES_HTTP_PORT=9201
ES_TCP_PORT=9301

>#set env vars
>#

PID_DIR="/var/run/track"

ES_NODE_NAME="track"
ES_NODE_MASTER="true"
ES_NODE_DATA="true"

ES_PATH_DATA="/mnt/elasticsearch/track"
ES_PATH_LOGS="/var/log/elasticsearch/track/"

ES_HTTP_PORT=9203
ES_TCP_PORT=9303
>
#set env vars
#

PID_DIR="/var/run/trick"

ES_NODE_NAME="trick"
ES_NODE_MASTER="true"
ES_NODE_DATA="true"

ES_PATH_DATA="/mnt/elasticsearch/trick"
ES_PATH_LOGS="/var/log/elasticsearch/trick/"

ES_HTTP_PORT=9202
ES_TCP_PORT=9302

Regards

Stephan

push

Probably your cluster is not formed or no longer green because of a misconfiguration in the transport layer TLS settings. Your elasticsearch logs would have all the necessary information on this.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.