Hey folks,
Following these instructions, I've installed a single node Elastic 7.8.0 on docker.
Then I create default certs and keys with
bin/elasticsearch-certutil ca
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
I move the .p12 to congifs/certs
To stop a previous error, I update the .p12 to have permissions 1000:1000
Then I edit config/elasticsearch.yml and add
cluster.name: "docker-cluster"
network.host: 0.0.0.0 # also tried the docker ip 123.1.0.1
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: "/usr/share/elasticsearch/config/certs/elastic-certificates.p12"
xpack.security.transport.ssl.truststore.path: "/usr/share/elasticsearch/config/certs/elastic-certificates.p12"
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "/usr/share/elasticsearch/config/certs/elastic-certificates.p12"
xpack.security.http.ssl.truststore.path: "/usr/share/elasticsearch/config/certs/elastic-certificates.p12"
Then restart the container
When I go to set user passwords with
bin/elasticsearch-setup-passwords interactive
I get this error
WARN org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [123.1.0.1]; the server provided a certificate with subject name [CN=instance] and fingerprint [d5a8c37fd3bbf48327e4753452c2b4ebe12660f2]; the certificate does not have any subject alternative names; the certificate is issued by [CN=Elastic Certificate Tool Autogenerated CA]; the certificate is signed by (subject [CN=Elastic Certificate Tool Autogenerated CA] fingerprint [75af257949c76373a50ff4fa2f90c97aaf7f10f1] {trusted issuer}) which is self-issued; the [CN=Elastic Certificate Tool Autogenerated CA] certificate is trusted in this ssl context ([xpack.security.http.ssl])
[x-pack-security-7.8.0.jar:7.8.0]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-7.8.0.jar:7.8.0]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127) [elasticsearch-cli-7.8.0.jar:7.8.0]
at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:91) [elasticsearch-cli-7.8.0.jar:7.8.0]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127) [elasticsearch-cli-7.8.0.jar:7.8.0]
at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-7.8.0.jar:7.8.0]
at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool.main(SetupPasswordTool.java:116) [x-pack-security-7.8.0.jar:7.8.0]
SSL connection to https://123.1.0.1:9200/_security/_authenticate?pretty failed: No subject alternative names present
Please check the elasticsearch SSL settings under xpack.security.http.ssl.
ERROR: Failed to establish SSL connection to elasticsearch at https://123.1.0.1:9200/_security/_authenticate?pretty.
I've troubleshooted this for couple days and checked this forum plenty.
-
123.1.0.1 is the ip of the docker container with elastic.
I tried updating the config yml so the host ip = 123.1.0.1 but no effect. -
If I first set only TLS (not HTTPS), then I am able to set user passwords, but when I activate http.ssl I get error message on elastic search boot up:
{"type": "server", "timestamp": "2020-06-24T22:47:48,739Z", "level": "WARN", "component": "o.e.b.BootstrapChecks", "cluster.name": "docker-cluster", "node.name": "d3b0717b5f42", "message": "TransportSSLmust be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.SSL.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]" }
And when I check config forxpack.security.transport.ssl.enabled: trueit's still there