Hi there! I am trying to enrypt communication on my elastic server. I followed several tutorials. However, I always fail to succeed, so I am seeking for advise here. Elasticsearch is running fine after a fresh installation. But when I try to use certificates, it just won't start anymore.
Conditions
-
Ubuntu 18.04
-
Elasticsearch 7.4.2
-
Single Node Cluster
What I tried (self-signed certificate)
I tried to follow the offical documentation, as well as this blog post.
The blog post seems straight forward, but I don't fully understand this part:
bin/elasticsearch-certutil ca --ca-dn CN=your_domain_name
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 -name "CN=your_domain_name,OU=Consulting Team,DC=your_domain_name,DC=com"
In specific the "-name" command confuses me, since it is actually there to create the files name.
Let's say I am running the command ...
bin/elasticsearch-certutil ca --ca-dn CN=test.example.com
... followd by ...
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 -name "CN=test.example,OU=Consulting Team,DC=your_domain_name,DC=com"
... it will create a file called "CN=test.example,OU=Consulting Team,DC=your_domain_name,DC=com". I also tried putting my servers IP address instead of the domain name but it also doesn't work.
It would be very helpful if someone could explain how the steps and commands to create the elastic-certificates.p12 file look like. I would appreciate examples with "test.example.com" or an IP-address. I strongly believe that it is only about those two commands. The part of copying files and creating folders is fairly easy.
Let's encrypt
Since I already encrypted communication on my domain with Let's encrypt, I have pem-files in following folder: /usr/local/psa/var/modules/letsencrypt/etc/archive/test.example.com
.
Can't I use those to secure Elasticsearch and Kibana? I copied them to my config-certs-folder and adjusted the elastic configuration file, but it didn't work. How would the configuration look like with those certificates?
Last but not least my configuration file of Elasticsearch (elasticsearch.yml):
network.host: 127.0.0.1
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.client_authentication: optional
Thanks in advance for your time!