I'm having trouble configuring transport and HTTP SSL for Elastic Stack in my environment. The environment is Windows 2016 (domain-joined) and everything in the stack works fine. I've enabled x-pack security and followed the instructions here for configuring SSL.
This didn't really work as Kibana wouldn't work on HTTPS and when testing Elasticsearch using curl, I had to add --ssl-no-revoke to get Elasticsearch to work, otherwise, I received an error about failing to check the revocation list for the certificate (which I think was causing the Kibana issues as well).
Are there any instructions for configuring SSL in a Windows domain-joined environment using certificates issued by the internal Enterprise CA, which would be preferable than the self-generated certificates, or any workaround for the certificate revocation error issue?
Can you give us more information ? What was the error, what was printed in the logs ?
You actually had to use --ssl-no-revoke to get curl to work. If I get this right, Elasticsearch "works" fine, but it's curl that fails to connect to it because it can check the revocation status of the certificate that your internal Enterprise CA has issued.
I'm afraid I can't think of something. Have you talked to your AD admin about the issue ? It sounds like your machine isn't configured to consume or can't connect to your CAs CRLs.
You actually had to use --ssl-no-revoke to get curl to work. If I get this right, Elasticsearch "works" fine, but it's curl that fails to connect to it because it can check the revocation status of the certificate that your internal Enterprise CA has issued.
This is correct, but the certificate isn't issued by the Enterprise CA, its the one generated by the elasticsearch-certutil utility.
in a Windows domain-joined environment using certificates issued by the internal Enterprise CA
which seemed to indicate otherwise.
I see two options:
You keep using the certficates you have now ( generated with elasticsearch-certutil ) and you speak to your AD admin about how you can add them to the CRL lists your domain is using.
a. You get your AD to issue a sub-CA for your internal CA and have that subCA sign all the certificates that you will then use for the transport layer in your nodes. You need to make sure that this subCA will only issue certificates for your nodes though.
b. For the http layer you can use certificates signed directly from your organizational CA, no issue about that
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.