Set a global TLS CA for security, snapshot , reindex etc

Dont know if this is possible already?

How to setup TLS CA for everything:

  • snapshot S3 against custom repositories
  • clustering security TLS
1 Like

A single CA is not recommended. Multiple CAs serve different purposes. Questions to ask yourself for each use case of a CA.

  1. Do you control all of the clients?
  2. Are you using dynamic or fixed networking?

Clustering security TLS: I assume you control all of these clients, but are you using dynamic or fixed networking?

  • Dynamic networking (ex: K8s, DC): Create a single self-signed cert without SAN. Reuse it for all nodes. Use verfication_mode=certificate to disable hostname verification. This is ideal for production, but if and only if the self-signed cert is never shared. For multiple clusters, use a unique self-signed cert per cluster, and keep them private.
  • Hardcoded networking (ex: DC w/ hardcoded config): You can do this, but it limits auto-scaling which is not great for production. Create a root CA. Issue a unique cert per node with hardcoded SAN dnsName or ipAddress. Use xpack.security.transport.ssl.verification_mode.=full to enforce hostname checking. This is slightly more secure, but it is probably only useful in testing.

Elasticsearch REST TLS: I assume you are using fixed networking (ex: FQDNs), but do you control all of the clients? Specifically, do clients only trust certain CAs, and do node SAN checking?

  • No: You can't tell clients to trust your private CA. You must get certs from a CA the clients already trust. It can be a public CA, or a company private CA. Either option is good for production.
  • Yes: You can tell clients to import your private CA. You can use any method to create the CA and certs, including the CLI tool in Elasticsearch.

Snapshot S3 custom repos: Same as REST TLS.

1 Like

We run a K8S cluster, using cert-manager and we use the same cert CA for everything. This make lot easier configuration.

Also according Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [8.0] | Elastic , the CA elasticsearch-ca.pem is both used wih kibana and metricbeat, I am very curious to see why it's better to have several CA, do you have a good content to read about please?

S3 TLS configuration is really painfull:

jdk/bin/keytool -import -alias ${backup_url} -cacerts -storepass changeit -noprompt  -file backup_minio.crt

And elastichsearch have lot of TLS settings:

xpack.security.transport.ssl.certificate_authorities
xpack.http.ssl.certificate_authorities
reindex.ssl.certificate_authorities
...

As we use the same CA, I was looking for a way to cover these points in one shot!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.