SSL and Elastic API

Hi, I have enabled SSL in elastic search, then using Postman I try to make a request to elastic and didn't work, I have to turn off 'SSL certificate verification' in Postman to make the request.

That means that the programers, that get data from elastic API, will need some kind of file to acces the api?

If the last is true, what files will they need? and where do I get them?

Ignoring SSL verification means that it won't validate the entire certificate chain. This is not ideal as it means the certificate could be fake and you'd never know.

How did you create the certificate?

1 Like

Hi warkolm I create it with the commands:

bin/elasticsearch-certutil ca

and

bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

and get two files elastic-certificates.p12 and elastic-stack-ca.p12

I use elastic-certificates.p12 to enable ssl in elasticsearch.yml

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12

These ( the certificates in elastic-certificates.p12 ) are certificates that are signed by an autogenerated CA ( elastic-stack-ca.p12 ) and that means that your operating system ( and by extension postman ) doesn't know if it should trust them or not . This is why you need to turn off SSL verification in postman in order to make requests, otherwise it fails.

Depending on how you are going to deploy your Elasticsearch cluster and who will be accessing it you have a few options:

  • Get a certificate that is signed by your company's / organization CA. This is what you (or your IT department) would do for any other internal company wide service that is deployed. The OS/Browsers of the users should have been configured to trust that CA so that they can verify the authenticity of the Elasticsearch's certificate
  • Get a certificate signed by a well known and trusted CA that your browser and OS already trust ( This is what all widely accessible services do. Take for example https://discuss.elastic.co which uses a certificate signed by Let's Encrypt and your browser trusts it because it trusts Let's Encrypt ). This is advisable if your users are not just internal to an organization
  • If you expect just a handful of users, it might be acceptable to hand them the elastic-stack-ca.p12 file and tell them to add this as a trusted CA in their browser/postman/
2 Likes

Thanks Ikakavas for your comprehensive answer, so if I get a external (own company or Let's encript) certificate, I just add the file in the machine and his path in the configuration?

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: external-cert.p12
xpack.security.http.ssl.truststore.path: external-cert.p12

there will be no problem to have a certificate generated by elastic in the trasport, and external certificate in http?

like this?

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.type: PKCS12

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: external-cert.p12
xpack.security.http.ssl.truststore.path: external-cert.p12

Yes, if you have them as a PKCS#12 container. If you have them as PEM encoded files you would need to adjust to something like :

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: external-cert.key
xpack.security.http.ssl.certificate: external-cert.crt
xpack.security.http.ssl.certificate_authorities: [ "your/ca/cert.crt"]

See also our docs

No problem at all

1 Like