Set a global TLS CA for security, snapshot , reindex etc

Dont know if this is possible already?

How to setup TLS CA for everything:

  • snapshot S3 against custom repositories
  • clustering security TLS
1 Like

A single CA is not recommended. Multiple CAs serve different purposes. Questions to ask yourself for each use case of a CA.

  1. Do you control all of the clients?
  2. Are you using dynamic or fixed networking?

Clustering security TLS: I assume you control all of these clients, but are you using dynamic or fixed networking?

  • Dynamic networking (ex: K8s, DC): Create a single self-signed cert without SAN. Reuse it for all nodes. Use verfication_mode=certificate to disable hostname verification. This is ideal for production, but if and only if the self-signed cert is never shared. For multiple clusters, use a unique self-signed cert per cluster, and keep them private.
  • Hardcoded networking (ex: DC w/ hardcoded config): You can do this, but it limits auto-scaling which is not great for production. Create a root CA. Issue a unique cert per node with hardcoded SAN dnsName or ipAddress. Use to enforce hostname checking. This is slightly more secure, but it is probably only useful in testing.

Elasticsearch REST TLS: I assume you are using fixed networking (ex: FQDNs), but do you control all of the clients? Specifically, do clients only trust certain CAs, and do node SAN checking?

  • No: You can't tell clients to trust your private CA. You must get certs from a CA the clients already trust. It can be a public CA, or a company private CA. Either option is good for production.
  • Yes: You can tell clients to import your private CA. You can use any method to create the CA and certs, including the CLI tool in Elasticsearch.

Snapshot S3 custom repos: Same as REST TLS.

1 Like

We run a K8S cluster, using cert-manager and we use the same cert CA for everything. This make lot easier configuration.

Also according Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [8.0] | Elastic , the CA elasticsearch-ca.pem is both used wih kibana and metricbeat, I am very curious to see why it's better to have several CA, do you have a good content to read about please?

S3 TLS configuration is really painfull:

jdk/bin/keytool -import -alias ${backup_url} -cacerts -storepass changeit -noprompt  -file backup_minio.crt

And elastichsearch have lot of TLS settings:

As we use the same CA, I was looking for a way to cover these points in one shot!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.