I have elasticsearch and enterprise-search both running.
In order to get them running together (with basic license) I had to enable SSL on the elasticsearch side in order to use API key as required by enterprise search (even for localhost connections).
I have a letsencrypt cert that was generated for the public hostname of the box...however I had to turn off enterprise-search's option elasticsearch.ssl.verify
. I believe because of mismatched hostnames (localhost
vs some-public-host.example.com
).
One option would be to have enterprise-search connect via the public hostname rather than localhost... but as most cluster connections will be on internal, non-public hostnames this isn't really a valid solution.
Longer term we will be using our internal CA to sign certificates. I'm trying to understand the impact of the enterprise-search ssl options better. Not for connection to enterprise search as SSL termination is handled by nginx, but for the connection from enterprise-search to elastic-search.
In particular the following config...
# Elasticsearch SSL settings:
#
elasticsearch.ssl.enabled: ${ES_SSL_ENABLED:false}
elasticsearch.ssl.certificate: ${ES_SSL_CERT}
elasticsearch.ssl.certificate_authority: ${ES_SSL_CA}
elasticsearch.ssl.key: ${ES_SSL_KEY}
elasticsearch.ssl.key_passphrase:
elasticsearch.ssl.verify: ${ES_SSL_VERIFY:true}
Just wondering if there is more documentation somewhere about these options. For instance it isn't clear to me why you would share the private key from elastic search with enterprise search.
It also isn't clear how specifying the elastic search ca-chain/cert/key from elastic search with enterprise search impacts the verification.
It also isn't clear what the verification is exactly. Full hostname verification, CA verification, etc. For internal hosts CA or cert verification is usually enough and hostname verification usually causes issues as we may not want to use/maintain DNS records for non-public endpoints (other means of service discovery).
Just hoping someone can point me to more detailed documentation about how these options work so we can have a sane setup for ssl configs. Doesn't seem to be much documentation other than here is the template config files showing all options?
Related topic on other elastic components: Tls verification_mode, custom validation options? - #2 by steffens