Setting up basic security plus secured HTTP Traffic

Hello all,

I have a three node implementation cluster for Elastic stack on three different VMs and I am using version 7.16.2 with basic license. I have set up two layers of security and working on the last one which is "setting up basic security plus secured HTTP Traffic".

I am following this URL.

At first, I encrypted Http client communication for Elasticsearch like this.

C:\ELK7.16.2\elasticsearch-7.16.2\bin>elasticsearch-certutil http

## Elasticsearch HTTP Certificate Utility

The 'http' command guides you through the process of generating certificates
for use on the HTTP (Rest) interface for Elasticsearch.

This tool will ask you a number of questions in order to generate the right
set of files for your needs.


Generate a CSR? [y/N]n

Use an existing CA? [y/N]y

## What is the path to your CA?

CA Path: C:\ELK7.16.2\elasticsearch-7.16.2\elastic-stack-ca.p12

Reading a PKCS12 keystore requires a password.
It is possible for the keystore's password to be blank,
in which case you can simply press <ENTER> at the prompt
Password for elastic-stack-ca.p12:

## How long should your certificates be valid?

You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)

For how long should your certificate be valid? [5y] 5Y

## Do you wish to generate one certificate per node?

Generate a certificate per node? [y/N]y

## What is the name of node #1?

This name will be used as part of the certificate file name, and as a
descriptive name within the certificate.

You can use any descriptive name that you like, but we recommend using the name
of the Elasticsearch node.

node #1 name: fs-master

## Which hostnames will be used to connect to fs-master?

These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.

You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.

If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.

Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.

s**6.oma.de-er.net
s**7.oma.de-er.net

You entered the following hostnames.

-s**6.oma.de-er.net
-s**7.oma.de-er.net

Is this correct [Y/n]y

## Which IP addresses will be used to connect to fs-master?

If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.

If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.

Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.

7.**.**.21
7.**.**.22

You entered the following IP addresses.

 -7.**.**.21
-7.**.**.22

Is this correct [Y/n]y

## Other certificate options

The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.

Key Name: fs-master
Subject DN: CN=fs-master
Key Size: 2048

Do you wish to change any of these options? [y/N]n
Generate additional certificates? [Y/n]n

## What password do you want for your private key(s)?

Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.

If you wish to use a blank password, simply press <enter> at the prompt below.
Provide a password for the "http.p12" file:  [<ENTER> for none]
Repeat password to confirm:

## Where should we save the generated files?

A number of files will be generated including your private key(s),
public certificate(s), and sample configuration options for Elastic Stack products.

These files will be included in a single zip archive.

What filename should be used for the output zip file? [C:\ELK7.16.2\elasticsearch-7.16.2\elasticsearch-ssl-http.zip]

Zip file written to C:\ELK7.16.2\elasticsearch-7.16.2\elasticsearch-ssl-http.zip

then I changed some configuration and everything worked allright. but when I added Elasticsearch-ca.pem certificate to kibana config and tried to run kibana. it gave me following error.

  log   [15:14:33.005] [error][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. Hostname/IP does not match certificate's altnames: Host: s**8.oma.de-er.net. is not in the cert's altnames: IP Address:7.**.**.21, IP Address:7.**.**.22, DNS:s**6.oma.de-er.net, DNS:s**7.oma.de-er.net

Following are my Elasticsearch.yml and kibana.yml

cluster.name: FsSearch

node.name: fs-master
node.master: true

path.data: E:\LandingZone\Elastic\fs-master\Data
path.logs: C:\ELK7.16.2\elasticsearch-7.16.2\logs

network.host: 7.**.**.23
http.port: 9200

discovery.seed_hosts: ["7.**.**.21", "7.**.**.22", "7.**.**.23"]
cluster.initial_master_nodes: ["7.**.**.23"]

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.keystore.path: http.p12
server.port: 5601
server.host: "//s**8.oma.de-er.net"
server.publicBaseUrl: "https://s**8.oma.de-er.net:5601"
elasticsearch.hosts: ["https://s**8.oma.de-er.net:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.ssl.certificateAuthorities: "C:/ELK7.16.2/kibana-7.16.2-windows-x86_64/config/elasticsearch-ca.pem"

Can someone please help me with this problem? I am not sure where am I going wrong?

Thank you,
Akhil

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.