Dont know if this is possible already?
How to setup TLS CA for everything:
- snapshot S3 against custom repositories
- clustering security TLS
Dont know if this is possible already?
How to setup TLS CA for everything:
A single CA is not recommended. Multiple CAs serve different purposes. Questions to ask yourself for each use case of a CA.
Clustering security TLS: I assume you control all of these clients, but are you using dynamic or fixed networking?
Elasticsearch REST TLS: I assume you are using fixed networking (ex: FQDNs), but do you control all of the clients? Specifically, do clients only trust certain CAs, and do node SAN checking?
Snapshot S3 custom repos: Same as REST TLS.
We run a K8S cluster, using cert-manager and we use the same cert CA for everything. This make lot easier configuration.
Also according Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [8.0] | Elastic , the CA elasticsearch-ca.pem
is both used wih kibana and metricbeat, I am very curious to see why it's better to have several CA, do you have a good content to read about please?
S3 TLS configuration is really painfull:
jdk/bin/keytool -import -alias ${backup_url} -cacerts -storepass changeit -noprompt -file backup_minio.crt
And elastichsearch have lot of TLS settings:
xpack.security.transport.ssl.certificate_authorities
xpack.http.ssl.certificate_authorities
reindex.ssl.certificate_authorities
...
As we use the same CA, I was looking for a way to cover these points in one shot!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.