Several question about SSL/TLS

Hi, I am reference security configured SSL/TLS in elasticsearch

My elasticsearch.yml:

xpack.security.enabled: true
network.host: MY_IP
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12

when curl -k -u elastic:123456 -X GET https://MY_IP:9200,there is nothing wrong.

My question:

1. How can I  get the same result without "-k" 
2. How to connect with elasticsearch in java 

Hope for answer,Thanks!

Hey,

in order to not use curl -k you would need to make sure that curl knows the cacert you used to create the Elasticsearch certificates.

Regarding your second question and java. The client connecting to elasticsearch also needs to know about the CA you used to sign the certificates. See https://www.elastic.co/guide/en/elasticsearch/client/java-rest/7.4/_encrypted_communication.html

--Alex

@spinscale ,Thank you for your replay.
but really I don't know is how can I generate CA,or the CA means elastic-stack-ca.p12?
can you please show me a sample or some blogs.
thanks again.

I assume that somehow you generated those certificates? Or did you get that from a third party? Regardless you have to add those to the programs you execute in order to prevent those warning messages (be it curl or the java client).

Did you follow the documentation or how were those created?

@spinscale Thank you for your replay.

Firstly , I use x-pack complete basic auth.

Secondly,I execute bin/elasticsearch-certutil ca then elastic-stack-ca.p12 was generated with no password protected.

Thirdly, I execute bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 then elastic-certificates.p12 was generated with no password protected.

Fourthly, I move elastic-stack-ca.p12 and elastic-certificates.p12 to config/certs and restart.

At last, I executecurl -k -u elastic:123456 -X GET https://MY_IP:9200 , and Elasticsearch show me a json.

My elasticsearch.yml was configured as mentioned above.

So, at this case, how can I generate certificates and connect with elasticsearch in java

sorry that I have so many question and waste your time
Hope for your answer,thank you again.

@spinscale I am very happy to tell that I have resolved this problem. The "CA" you have mentioned" is elastic-certificates.p12 that I already generated. My java client is as below.
hope this can help someone who need.

public static boolean auth(String index) throws Exception {
	CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
	credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials("elastic", "123456"));
	KeyStore truststore = KeyStore.getInstance("jks");
	try (InputStream is = new FileInputStream("./src/main/resources/elastic-certificates.p12")) {
		truststore.load(is, "123456".toCharArray());
	}
	SSLContextBuilder sslBuilder = SSLContexts.custom().loadTrustMaterial(truststore, null);
	final SSLContext sslContext = sslBuilder.build();
	RestClientBuilder builder = RestClient.builder(new HttpHost("MY_IP", 9200, "https"))
			.setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() {
				@Override
				public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
					return httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider)
							.setSSLContext(sslContext).setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
				}
			});

	client = new RestHighLevelClient(builder);
	GetIndexRequest req = new GetIndexRequest(index);
	return client.indices().exists(req, RequestOptions.DEFAULT);
}

my elasticsearch.yml is as below:

xpack.security.enabled: true
network.host: MY_IP
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.keystore.password: 123456
xpack.security.transport.ssl.truststore.password: 123456
xpack.security.http.ssl.keystore.password: 123456
xpack.security.http.ssl.truststore.password: 123456