Only expose HTTPS

(Ross Beehler) #1

I am trialing the x-pack security feature through the container image and have followed the Configuring TLS documentation, but after starting elasticsearch, I can only locally (on the container) curl using http, and not https.

Here's my elasticsearch.yaml: full-stack-cluster node-1 /usr/share/elasticsearch/data
  port: 9200
bootstrap.memory_lock: true true true logfile true certificate /usr/share/elasticsearch/config/certificates/elastic-certificates.p12 /usr/share/elasticsearch/config/certificates/elastic-certificates.p12 true /usr/share/elasticsearch/config/certificates/elastic-certificates.p12 /usr/share/elasticsearch/config/certificates/elastic-certificates.p12

I have verified that "/usr/share/elasticsearch/config/certificates/elastic-certificates.p12" is a working link.

Here's what I see when I curl http:

[root@elasticsearch-deployment-5dbffd949f-wjdkn elasticsearch]# curl http://localhost:9200
  "name" : "d9Nsd1R",
  "cluster_name" : "docker-cluster",
  "cluster_uuid" : "hPVfPKydQt2-2xG8hDwRyw",
  "version" : {
    "number" : "6.4.2",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "04711c2",
    "build_date" : "2018-09-26T13:34:09.098244Z",
    "build_snapshot" : false,
    "lucene_version" : "7.4.0",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  "tagline" : "You Know, for Search"

Here's what I see when i curl https:

[root@elasticsearch-deployment-5dbffd949f-wjdkn elasticsearch]# curl https://localhost:9200
curl: (35) SSL received a record that exceeded the maximum permissible length.

As a secondary question, how do I know this is working for tcp? I've ramped up the log level in to debug, and I see nothing about ssl/tls/certs, and very, very little about x-pack security. Is there some way to know that tls is appropriately configured for elasticsearch?

(Jay Modi) #2

You might have a basic license, which is the default type for a self generated license. You can use the start trial API to upgrade to a trial license, which allows security.

Or you can set xpack.license.self_generated.type: 'trial' in your elasticsearch.yml file.

(Ross Beehler) #3

Thanks jaymode.

I tried adding that to my elasticsearch.yml, and it didn't appear to help. When I grep the logs, I do see the following info about my license, which appears like the trial isn't engaging. Any ideas?

[2018-10-19T19:11:56,519][DEBUG][o.e.l.LicenseService ] [d9Nsd1R] current [LicensesMetaData{license={"uid":"d020c18b-50f6-45c9-8b94-eb86424e1b00","type":"basic","issue_date_in_millis":1539634706699,"max_nodes":1000,"issued_to":"docker-cluster","issuer":"elasticsearch","signature":redacted,"start_date_in_millis":-1}, trialVersion=null}]

Is there something else I can look at to see that it is properly reading my elasticsearch.yml file?

(Jay Modi) #4

I think you will need to use the start trial api since the license has already been generated. Sorry about that.

(Ross Beehler) #5

Thanks jaymode. I got that rolling and started using the API to find a lot more evidence that my elasticsearch.yml file was not getting picked up. Note that I'm hosting this in kubernetes, and my kubernetes manifest has been pieced together from a couple different places, which I believe had my elasticsearch.yml going to the wrong directory. I've fixed that and now I can see it's working much better.

(Tim Vernum) #6

It doesn't look like your config file is being used. full-stack-cluster node-1
  "name" : "d9Nsd1R",
  "cluster_name" : "docker-cluster",

How are you providing that yml config to the container?
Are you following one of the options given here?

(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.