TLS Key location after installation

I'm on my second attempt at installing ES and Metricbeats to monitor the node (Ubuntu 22.04). I'm still unable to get Metricbeat to connect due to lack of the TLS key, which I can't locate.

Per the doc at Install Elasticsearch with Debian Package | Elasticsearch Guide [8.11] | Elastic :

Certificates and keys for TLS are generated for the transport and HTTP layer, and TLS is enabled and configured with these keys and certificates.

The password and certificate and keys are output to your terminal.

This is the entirety of the installation report:

# apt-get install elasticsearch
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
Use 'apt autoremove' to remove it.
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 7 not upgraded.
Need to get 631 MB of archives.
After this operation, 1317 MB of additional disk space will be used.
Get:1 stable/main amd64 elasticsearch amd64 8.11.3 [631 MB]
Fetched 631 MB in 17s (36.8 MB/s)
Selecting previously unselected package elasticsearch.
(Reading database ... 105179 files and directories currently installed.)
Preparing to unpack .../elasticsearch_8.11.3_amd64.deb ...
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Unpacking elasticsearch (8.11.3) ...
Setting up elasticsearch (8.11.3) ...
--------------------------- Security autoconfiguration information ------------------------------

Authentication and authorization are enabled.
TLS for the transport and HTTP layers is enabled and configured.

The generated password for the elastic built-in superuser is : REDACTED

If this node should join an existing cluster, you can reconfigure this with
'/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>'
after creating an enrollment token on your existing cluster.

You can complete the following actions at any time:

Reset the password of the elastic built-in superuser with
'/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'.

Generate an enrollment token for Kibana instances with
 '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'.

Generate an enrollment token for Elasticsearch nodes with
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'.

### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
 sudo systemctl start elasticsearch.service
Scanning processes...
Scanning linux images...

Running kernel seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.

I see all the other certs on the filesystem, but not the key. Am I missing something?

To clarify, I am aware of the .p12 files in /etc/elasticsearch/certs, but when I try to configure Metricbeat with them, I get this error regardless of what I try:

Exiting: error loading config file: yaml: line 94: did not find expected key

# ---------------------------- Elasticsearch Output ----------------------------
  # Array of hosts to connect to.
  hosts: ["https://es-node1-stage:9200"]
        certificate_authorities: ["/etc/elasticsearch/certs/http_ca.crt"]
        certificate: "/etc/elasticsearch/certs/http.p12"
        key: "/etc/elasticsearch/certs/http.p12"

OK, doh...bad YAML! I think I'm good now...

Hi @Chris_Stone

Hi Chris not sure what key you are looking for...

The password and certificate and keys are output to your terminal.

I think that is a little out of date and should just say password

if you want to connect metricbeat ... follow the docs here

You just need the

/etc/elasticsearch/certs/http_ca.crt on each host

or create the trusted fingerprint.

You do not need those on the metricbeat side.

Thanks, @stephenb! That was very helpful...


Now that we got here... just for completeness sake there the http.p12 trustore key for the transport cert buried in the elasticsearch.keystore ... but you do not need that.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.