Ssl between nodes

Elastic Stack Elasticsearch
1

hi

I'm upgrading to 8.5.1 in a kubernetes solution with helm installation

And had an issue with ssl between nodes
Found The truststore does not contain any trusted certificate entries after upgrade to 8.0

and used solution number 2.

The relevant part of my values.yaml file

esConfig:
  elasticsearch.yml: |
    xpack.license.self_generated.type: basic
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate 
    xpack.security.transport.ssl.client_authentication: required
    xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
keystore:
  - secretName: elastic-certificates-password

Everything went fine, all the pods started.

But any of them goes to ready state. In logs it's just stuck after
"message":"successfully loaded geoip database file [GeoLite2-City.mmdb]"

Everything looks ok, so I went inside the pod and curl'ed to check the health endpoint:
curl -u elastic:$ELASTIC_PASSWORD -X GET https://localhost:9200/_cluster/health?wait_for_status=green

It hangs (not always, dont know why) and after a return keypress:
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

So, I haven't mounted the elastic-stack-ca.p12 in the pods. In documentation I've understood that it was not needed.

Can you help me?

Thanks in advance

2

So....

Changing protocol to http in values.yaml, solves the problem.
Looking in helm chart, protocol is only used to calculate probe protocol.

In Elastic 7.x.x, http was default.

Does anyone has any idea why was this changed? Is it okay to override this value, or is a better way to solve this?

3

You are enabled transport SSL which is for SSL communication between nodes, if you want to verify if it is working, you should curl the transport port, which by default should be 9300.
Please notice you have to curl it with CA cert, Private Cert and Private key, then it would return:

This is not HTTP port

If you want to connect ES API (9200) with HTTPS, you should enable and config

xpack.security.http.ssl

Hades

4

Hi,
thanks for the response.

I was just to post that also.

Had the same issue with kibana, and I had solve this enabling what you've just sugested.

So, the relevant part of values.yaml:

protocol: https

esConfig:
  elasticsearch.yml: |
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12

keystore:
  - secretName: elastic-certificates-password

and this secret, elastic-certificates-password need the following keys:

  "xpack.security.http.ssl.keystore.secure_password",
  "xpack.security.http.ssl.truststore.secure_password",
  "xpack.security.transport.ssl.keystore.secure_password",
  "xpack.security.transport.ssl.truststore.secure_password"

k create secret generic elastic-certificates-password  --from-literal=xpack.security.transport.ssl.keystore.secure_password=<the password> --from-literal=xpack.security.transport.ssl.truststore.secure_password=<the password> --from-literal=xpack.security.http.ssl.keystore.secure_password=<the password> --from-literal=xpack.security.http.ssl.truststore.secure_password=<the password>

thanks

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.