Hi @Luca_Belluccini,
first of all, thank you for taking the time to answer my question.
I certainly now that blog, spent the last few hours on it.
You are right, I should've set the hostnames to their FQDN, sohost01.mydomain.com
. Just did it, but it kept complaining that it doesn't trust in the certificate's issuer (Let's Encrypt).
Maybe it is a mather of including some root certificate in the xpack.security.transport.ssl.certificate_authorities
parameter, or making CentOS trust Let's Encrypt root certificate... I'm really not experienced with PKI infrasctructure. Actually in that blog there is something in that matter:
If your Java cacerts keystore does not contain the DST Root CA X3 certificate or newer ISRG Root X1 CA certificate for any reason, you could also provide the Certificate Authorities certificates directly to Elasticsearch via the following configuration. This was not required with an updated version of CentOS 6, but you may find that either the DST Root CA X3 certificate or the newer ISRG root CA used by Let's Encrypt may not be recognized by some older OS or web browser versions:
That means I have to download a root certificate from LEt's Encrypt and tell Elasticsearch to consider that ?
One last thing, about that second question, nice to know that Elasticsearch keeps on the files to see if they change. But the thing is, since I had to copy the certificates from the official directory to inside Elasticsearch's config
directory, whenecer certbot updates my certificates (3 months from now) I'll have to have something that executes thi copy again... right?
Or is that something that changed from the time the blog was written and now I can point to certificates outside the config
dir?