SSL and Elastic API

Hi, I have enabled SSL in elastic search, then using Postman I try to make a request to elastic and didn't work, I have to turn off 'SSL certificate verification' in Postman to make the request.

That means that the programers, that get data from elastic API, will need some kind of file to acces the api?

If the last is true, what files will they need? and where do I get them?

Ignoring SSL verification means that it won't validate the entire certificate chain. This is not ideal as it means the certificate could be fake and you'd never know.

How did you create the certificate?

1 Like

Hi warkolm I create it with the commands:

bin/elasticsearch-certutil ca


bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

and get two files elastic-certificates.p12 and elastic-stack-ca.p12

I use elastic-certificates.p12 to enable ssl in elasticsearch.yml true elastic-certificates.p12 elastic-certificates.p12

These ( the certificates in elastic-certificates.p12 ) are certificates that are signed by an autogenerated CA ( elastic-stack-ca.p12 ) and that means that your operating system ( and by extension postman ) doesn't know if it should trust them or not . This is why you need to turn off SSL verification in postman in order to make requests, otherwise it fails.

Depending on how you are going to deploy your Elasticsearch cluster and who will be accessing it you have a few options:

  • Get a certificate that is signed by your company's / organization CA. This is what you (or your IT department) would do for any other internal company wide service that is deployed. The OS/Browsers of the users should have been configured to trust that CA so that they can verify the authenticity of the Elasticsearch's certificate
  • Get a certificate signed by a well known and trusted CA that your browser and OS already trust ( This is what all widely accessible services do. Take for example which uses a certificate signed by Let's Encrypt and your browser trusts it because it trusts Let's Encrypt ). This is advisable if your users are not just internal to an organization
  • If you expect just a handful of users, it might be acceptable to hand them the elastic-stack-ca.p12 file and tell them to add this as a trusted CA in their browser/postman/

Thanks Ikakavas for your comprehensive answer, so if I get a external (own company or Let's encript) certificate, I just add the file in the machine and his path in the configuration? true external-cert.p12 external-cert.p12

there will be no problem to have a certificate generated by elastic in the trasport, and external certificate in http?

like this? true true PKCS12 certificate elastic-certificates.p12 elastic-certificates.p12 PKCS12 true external-cert.p12 external-cert.p12

Yes, if you have them as a PKCS#12 container. If you have them as PEM encoded files you would need to adjust to something like : true external-cert.key external-cert.crt [ "your/ca/cert.crt"]

See also our docs

No problem at all

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.