[Solved] Elasticsearch integration metric settings (elastic-agetnt)

Elastic Stack Elastic Agent
,
1

hello everyone,

I have installed the elastic agent (enrolled in fleet) in all the nodes in my elasticsearch cluster they all have these settings

# Enable security features
xpack.security.enabled: true
xpack.security.enrollment.enabled: true

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  client_authentication: required
  keystore.path: certs/elastic-certificates.p12
  truststore.path: certs/elastic-certificates.p12

all the agents installed in all the nodes of my cluster are enrolled in fleet under the same policy named "elasticsearch_clusterz_nodes" in this policy I added elasticsearch integration to monitor and view logs and metrics of every node

Capture d'écran 2024-08-15 212345
Capture d'écran 2024-08-15 2123451245×380 56.8 KB

but the problem is that I get this error in all nodes (under stack monitoring)

Capture d'écran 2024-08-15 205945
Capture d'écran 2024-08-15 2059451366×180 19.2 KB

i suspected these settings the username and password are correct but i don't know wich cert or api key i should use

Capture d'écran 2024-08-16 002439
Capture d'écran 2024-08-16 002439892×1213 75.1 KB

for the certs that i already have are:
the certificate used for communication with the cluster elasticsearch-ca.pem

ssl certificate of each node http.p12

i converted my CA (elastic-stack-ca.p12) using these command two commands

openssl pkcs12 -in elastic-stack-ca.p12 -out cert.crt -clcerts -nokeys

openssl pkcs12 -in elastic-stack-ca.p12 -out private.key -nocerts -nodes

to get cert.crt and private.key of the certification used to communicate with the cluster but it didn't work sadly

same thing with my http.p12 SSL of each node I converted it using these commands to get http.crt and http.key but sadly it didn't work either

openssl pkcs12 -in http.p12 -clcerts -nokeys -out http.crt

openssl pkcs12 -in http.p12 -nocerts -out http.key -nodes

Capture d'écran 2024-08-16 002450

please help
@stephenb

2

Hi @Abdarrahmane

First, please do not directly mention / ping people such as myself who are not already part of your conversation; it is not forum best practice.

Thanks for the details. Can you post the text version of the SSL settings? We can not do much with screenshots.

have you simply tried to go to the box you installed the agent and try to curl the cluster

curl -v --cacert /path/to/ca -u elastic https://localhost:9200

Try that and come back show the command and the complete result in text

Also you should only need the certificate_authorities not the 2 other settings

The settings descriptions are here from the line

You can also try

verification_mode: none

just to test... but in the end if the curl does not work the integration will not.

1 Like
3

hello stephen

Thank you for taking the time to answer me as always

my apologies I'm quite new to the community, I didn't know the rules :sweat_smile::sweat_smile:

I went into one of the nodes and run the command:

curl -v --cacert /etc/elasticsearch/certs/elasticsearch-ca.pem -u elastic https://localhost:9200

and here is its output:

root@elasticsearch1:/home/elasticsearch1# curl -v --cacert /etc/elasticsearch/certs/elasticsearch-ca.pem -u elastic https://localhost:9200
Enter host password for user 'elastic':
*   Trying 127.0.0.1:9200...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/elasticsearch/certs/elasticsearch-ca.pem
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=node-1
*  start date: Jul 31 17:19:11 2024 GMT
*  expire date: Jul 31 17:19:11 2029 GMT
*  subjectAltName does not match localhost
* SSL: no alternative certificate subject name matches target host name 'localhost'
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'localhost'
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I think its because the SSL certificate used by Elasticsearch does not have localhost listed as a valid subjectAltName (SAN).

when I Bypass the Certificate Validation using this command

curl -v -k -u elastic https://localhost:9200

it works same this for the integration when I added verification_mode: none in the SSL configuration of the integration

but this is not recommended for production environments, therefore are there other solutions like regenerating the certificate with localhost in SAN for each node certification as explained in here: Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [8.15] | Elastic
or any other solution that ensures security ?

thank you!

1 Like
4

Yup regenerate the certs with the proper SANs, IPs etc... test with curl and you should be good to go. That is the proper secure approach

1 Like
5

Done, And it worked !!

Thank you so much stephen have a good one !

1 Like