Dont know if this is possible already?
How to setup TLS CA for everything:
- snapshot S3 against custom repositories
- clustering security TLS
1 Like
A single CA is not recommended. Multiple CAs serve different purposes. Questions to ask yourself for each use case of a CA.
- Do you control all of the clients?
- Are you using dynamic or fixed networking?
Clustering security TLS: I assume you control all of these clients, but are you using dynamic or fixed networking?
- Dynamic networking (ex: K8s, DC): Create a single self-signed cert without SAN. Reuse it for all nodes. Use verfication_mode=certificate to disable hostname verification. This is ideal for production, but if and only if the self-signed cert is never shared. For multiple clusters, use a unique self-signed cert per cluster, and keep them private.
- Hardcoded networking (ex: DC w/ hardcoded config): You can do this, but it limits auto-scaling which is not great for production. Create a root CA. Issue a unique cert per node with hardcoded SAN dnsName or ipAddress. Use xpack.security.transport.ssl.verification_mode.=full to enforce hostname checking. This is slightly more secure, but it is probably only useful in testing.
Elasticsearch REST TLS: I assume you are using fixed networking (ex: FQDNs), but do you control all of the clients? Specifically, do clients only trust certain CAs, and do node SAN checking?
- No: You can't tell clients to trust your private CA. You must get certs from a CA the clients already trust. It can be a public CA, or a company private CA. Either option is good for production.
- Yes: You can tell clients to import your private CA. You can use any method to create the CA and certs, including the CLI tool in Elasticsearch.
Snapshot S3 custom repos: Same as REST TLS.
1 Like
We run a K8S cluster, using cert-manager and we use the same cert CA for everything. This make lot easier configuration.
Also according Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [8.0] | Elastic , the CA elasticsearch-ca.pem is both used wih kibana and metricbeat, I am very curious to see why it's better to have several CA, do you have a good content to read about please?
S3 TLS configuration is really painfull:
jdk/bin/keytool -import -alias ${backup_url} -cacerts -storepass changeit -noprompt -file backup_minio.crt
And elastichsearch have lot of TLS settings:
xpack.security.transport.ssl.certificate_authorities
xpack.http.ssl.certificate_authorities
reindex.ssl.certificate_authorities
...
As we use the same CA, I was looking for a way to cover these points in one shot!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.