Only expose HTTPS

rossbeehler · October 19, 2018, 6:48pm

I am trialing the x-pack security feature through the docker.elastic.co/elasticsearch/elasticsearch:6.4.2 container image and have followed the Configuring TLS documentation, but after starting elasticsearch, I can only locally (on the container) curl using http, and not https.

Here's my elasticsearch.yaml:

cluster.name: full-stack-cluster
node.name: node-1
path.data: /usr/share/elasticsearch/data
http:
  host: 0.0.0.0
  port: 9200
bootstrap.memory_lock: true
transport.host: 127.0.0.1
xpack.security.enabled: true
xpack.security.audit.enabled: true
xpack.security.audit.outputs: logfile
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certificates/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certificates/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certificates/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certificates/elastic-certificates.p12

I have verified that "/usr/share/elasticsearch/config/certificates/elastic-certificates.p12" is a working link.

Here's what I see when I curl http:

[root@elasticsearch-deployment-5dbffd949f-wjdkn elasticsearch]# curl http://localhost:9200
{
  "name" : "d9Nsd1R",
  "cluster_name" : "docker-cluster",
  "cluster_uuid" : "hPVfPKydQt2-2xG8hDwRyw",
  "version" : {
    "number" : "6.4.2",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "04711c2",
    "build_date" : "2018-09-26T13:34:09.098244Z",
    "build_snapshot" : false,
    "lucene_version" : "7.4.0",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

Here's what I see when i curl https:

[root@elasticsearch-deployment-5dbffd949f-wjdkn elasticsearch]# curl https://localhost:9200
curl: (35) SSL received a record that exceeded the maximum permissible length.

As a secondary question, how do I know this is working for tcp? I've ramped up the log level in log4j2.properties to debug, and I see nothing about ssl/tls/certs, and very, very little about x-pack security. Is there some way to know that tls is appropriately configured for elasticsearch?

jaymode · October 19, 2018, 7:07pm

You might have a basic license, which is the default type for a self generated license. You can use the start trial API to upgrade to a trial license, which allows security. https://www.elastic.co/guide/en/elastic-stack-overview/current/license-management.html

Or you can set xpack.license.self_generated.type: 'trial' in your elasticsearch.yml file.

rossbeehler · October 19, 2018, 7:16pm

Thanks jaymode.

I tried adding that to my elasticsearch.yml, and it didn't appear to help. When I grep the logs, I do see the following info about my license, which appears like the trial isn't engaging. Any ideas?

[2018-10-19T19:11:56,519][DEBUG][o.e.l.LicenseService ] [d9Nsd1R] current [LicensesMetaData{license={"uid":"d020c18b-50f6-45c9-8b94-eb86424e1b00","type":"basic","issue_date_in_millis":1539634706699,"max_nodes":1000,"issued_to":"docker-cluster","issuer":"elasticsearch","signature":redacted,"start_date_in_millis":-1}, trialVersion=null}]

Is there something else I can look at to see that it is properly reading my elasticsearch.yml file?

jaymode · October 19, 2018, 7:34pm

I think you will need to use the start trial api since the license has already been generated. Sorry about that.

rossbeehler · October 19, 2018, 8:01pm

Thanks jaymode. I got that rolling and started using the API to find a lot more evidence that my elasticsearch.yml file was not getting picked up. Note that I'm hosting this in kubernetes, and my kubernetes manifest has been pieced together from a couple different places, which I believe had my elasticsearch.yml going to the wrong directory. I've fixed that and now I can see it's working much better.

TimV · October 21, 2018, 3:18am

It doesn't look like your config file is being used.

cluster.name: full-stack-cluster
node.name: node-1

  "name" : "d9Nsd1R",
  "cluster_name" : "docker-cluster",

How are you providing that yml config to the container?
Are you following one of the options given here?

Install Elasticsearch with Docker | Elasticsearch Guide [6.4] | Elastic

system · November 18, 2018, 3:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.