Trouble enabling SSL for elastic search


(james) #1

I'm trying to enable ssl for the elasticsearch service on tcp 9200

I've followed the instructions using certgen and updating the config here: https://www.elastic.co/guide/en/x-pack/current/ssl-tls.html

When I start elasticsearch it starts normally however it is still only functioning with HTTP.

When I check the logs there is no mention of any errors at all.

Can anybody point me in the right direction on where to look next?


(Christian Dahlqvist) #2

Can you conform you are using Elasticsearch 5.x and have X-Pack installed? If this is the case I would recommend moving this to the X-Pack category.


(james) #3

Yes I am using version 5 and have xpack installed - how do I move it to the x-pack cateogry?


(Christian Dahlqvist) #4

I moved it for you.


(Tim Vernum) #5

Can anybody point me in the right direction on where to look next?

Can you post the relevant section of your elasticsearch.yml ?

It should look something like:

xpack:
  ssl:
    key: x-pack/ssl/node01/node01.key
    certificate: x-pack/ssl/node01/node01.crt
    certificate_authorities: [ "x-pack/ssl/ca/ca.crt" ]
  security:
    http:
        ssl:
            enabled: true

With that configured, then you should be able to do:

curl -k -XGET -u elastic:changeme 'https://localhost:9200/'
{
  "cluster_name" : "elasticsearch",
  // ...
  "tagline" : "You Know, for Search"
}

(that's assuming the default password for the elastic user, but hopefully you've changed it to something secure)


(james) #6

I have the configuration:

xpack.ssl.key: /usr/share/elasticsearch/config/Elasticsearch.key
xpack.ssl.certificate: /usr/share/elasticsearch/config/Elasticsearch.crt
xpack.ssl.certificate_authorities: [ "usr/share/elasticsearch/config/ca.crt" ]
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.enabled: true

and the curl you suggested responds with the following error:

curl: (35) gnutls_handshake() failed: An unexpected TLS packet was received.


(Tim Vernum) #7

xpack.ssl.certificate_authorities: [ "usr/share/elasticsearch/config/ca.crt" ]

Is that an exact copy of your config? It's missing a leading / and that should prevent the server from starting.


(Tim Vernum) #8

My guess, based on the info you've provided so far, is that the file you're editing isn't the one that elasticsearch is reading from.

Your config has a typo which ought to prevent the node from starting up, but if the typo is fixed then the config seems fine and SSL should be enabled.

What file are you editing, and how are you starting elasticsearch?


(james) #9

Good spotting! However I have changed that and still get the same error. (it looks like an invalid path doesn't cause an error.

It's definitely editing the right config file as if I make a mistake elsewhere, it will cease to start.

I'm really not sure where else to look? I can't seem to get it to spit out an error message.


(Tim Vernum) #10

it looks like an invalid path doesn't cause an error

I certainly does in 5.0.0, I can't imagine that the behaviour changed in 5.0.2, but I'll give it a test tomorrow if we haven't tracked it down.

If you're 100% sure that you're editing the correct file, then my best guess is that there's something else weird in your file that's causing it to ignore the xpack configuration.
YAML is a complex format with lots of weird stuff that you can do to mess things up if you try hard enough.
I suggest you try running your elasticsearch.yml file through a YAML parser/validator and check whether it produces the output you expect. There's a few online parsers that will do that job - Google can point you to them.


(Tim Vernum) #11

I just realised that you haven't said precisely which version of ES you're running - I was getting you confused with someone else.

What does bin/elasticsearch --version give you?


(james) #12

Version: 5.0.2, Build: f6b4951/2016-11-24T10:07:18.101Z, JVM: 1.8.0_111


(system) #13

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.