Trusting remote clusters' CA

YvorL · February 24, 2023, 6:55pm

Hi,

I have two scenarios and would like a solution for both.

I created a new cluster (8.6.X) with the self-generated certificates and enrolling new nodes. After that, I want to create a separate cluster, but I'd like to have it as a remote cluster. Without creating a ton of new certificates, copying those all over the world, how can I make the two clusters trust each other? I tried to change the transport xpack settings like this, but it didn't work (duh):

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
#  truststore.path: certs/transport.p12
  certificate_authorities: ["certs/http_ca.crt","certs/http_ca_remote.crt"]

I have a cluster with certificates I generated myself without the ES tool (20+ nodes) and a new cluster with the automatically generated certificates. I have to connect the old cluster as a remote cluster until I can age out data (100TB+) and would like to avoid generating new certificates since the setup gets a lot less complicated if I can use the auto-generated certs. What can I do?

Yang_Wang · February 27, 2023, 5:59am

Remote cluster connection uses the Transport interface, not HTTP. You'll need to configure it with the Transport CA files.

YvorL · February 27, 2023, 10:36am

@Yang_Wang , so when I install a vanilla Elasticsearch, it creates two different CA-s, one for the HTTP and one for the transport interface. And I need to extract the CA from the p12 file that was created for the transport layer?

YvorL · February 27, 2023, 2:33pm

I did run this:
openssl pkcs12 -in transport.p12 -cacerts -nokeys -chain > transport_self.ca.pem

And it seems this is working. Now I can use those files to connect clusters.

system · March 27, 2023, 2:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.