Local Elasticsearch 7.6.x Cluster with security features enabled

Hello!

I have some trouble with a local ES-Cluster in relation to security features.
I configured a simple three-node master/data (node.master|node.data:true) cluster. The cluster is up, running and 'green'.

After that, I enabled 'xpack.security.enabled' and restarted the whole cluster and running

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto -u "http://localhost:9201"

Afterwards a

curl -k -u elastic 'http://localhost:9201/_cat/nodes?v'

works with the generated password for 'elastic'. The whole cluster is up...

Next step was to generate certificates and keys using elasticsearch-certutil... After configuring TLS in the configs and restarted the cluster.

Now i get (with the password used above that worked)

curl -k  'https://localhost:9201/_cat/nodes?v' -u elastic --cacert /etc/elasticsearch/certs/ca.crt'

It gives:

{"error":{"root_cause":[{"type":"security_exception","reason":"failed to authenticate user [elastic]","header":{"WWW-Authenticate":["Bearer realm=\"security\"","ApiKey","Basic realm=\"security\" charset=\"UTF-8\""]}}],"type":"security_exception","reason":"failed to authenticate user [elastic]","header":{"WWW-Authenticate":["Bearer realm=\"security\"","ApiKey","Basic realm=\"security\" charset=\"UTF-8\""]}},"status":401}

Can anyone give me a hint what i'm doing wrong?

elasticsearch.yml

cluster.name: test-cluster
node.name: ${ES_NODE_NAME}
node.data: ${ES_NODE_DATA}
node.master: ${ES_NODE_MASTER}

path.data: ${ES_PATH_DATA}
path.logs: ${ES_PATH_LOGS}

http.port: ${ES_HTTP_PORT}
transport.tcp.port: ${ES_TCP_PORT}

xpack.license.self_generated.type: basic

xpack.security.enabled: true

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/elasticsearch/certs/${ES_NODE_NAME}.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/${ES_NODE_NAME}.crt
xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/certs/ca.crt

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/${ES_NODE_NAME}.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/${ES_NODE_NAME}.crt
xpack.security.transport.ssl.certificate_authorities: /etc/elasticsearch/certs/ca.crt

discovery.zen.minimum_master_nodes : 2
discovery.seed_hosts: ["tick.local:9301", "trick.local:9302", "track.local:9303"]
cluster.initial_master_nodes: ["tick.local:9301", "trick.local:9302", "track.local:9303"]

the three env-files in /etc/sysconfig7

#set env vars
#
PID_DIR="/var/run/tick"

ES_NODE_NAME="tick"
ES_NODE_MASTER="true"
ES_NODE_DATA="true"

ES_PATH_DATA="/mnt/elasticsearch/tick"
ES_PATH_LOGS="/var/log/elasticsearch/tick/"

ES_HTTP_PORT=9201
ES_TCP_PORT=9301

>#set env vars
>#

PID_DIR="/var/run/track"

ES_NODE_NAME="track"
ES_NODE_MASTER="true"
ES_NODE_DATA="true"

ES_PATH_DATA="/mnt/elasticsearch/track"
ES_PATH_LOGS="/var/log/elasticsearch/track/"

ES_HTTP_PORT=9203
ES_TCP_PORT=9303
>
#set env vars
#

PID_DIR="/var/run/trick"

ES_NODE_NAME="trick"
ES_NODE_MASTER="true"
ES_NODE_DATA="true"

ES_PATH_DATA="/mnt/elasticsearch/trick"
ES_PATH_LOGS="/var/log/elasticsearch/trick/"

ES_HTTP_PORT=9202
ES_TCP_PORT=9302

Regards

Stephan

push

Probably your cluster is not formed or no longer green because of a misconfiguration in the transport layer TLS settings. Your elasticsearch logs would have all the necessary information on this.