ylasri
(Yassine LASRI)
September 25, 2020, 2:53pm
1
I am trying to connect Workplace search to a secured elasticsearch cluster
The es cluster is secured using TLS at the http & transport level ( i used bin\elasticsearch-certutil cert --keep-ca-key --pem --in instance.yml --out certs.zip
)
So elasticsearch.yml looks like this
discovery.type: single-node
xpack.security.enabled: true
xpack.security.authc.api_key.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: certs_ssl/node01/node01.key
xpack.security.http.ssl.certificate: certs_ssl/node01/node01.crt
xpack.security.http.ssl.certificate_authorities: certs_ssl/ca/ca.crt
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: certs_ssl/node01/node01.key
xpack.security.transport.ssl.certificate: certs_ssl/node01/node01.crt
xpack.security.transport.ssl.certificate_authorities: certs_ssl/ca/ca.crt
The same key is used to connect kibana to the cluster without any issue.
Now i'm trying to use same ssl key & crt to connect WS to elasticsearch
so my docker-compose for workplace search look like this
environment:
- elasticsearch.host='https://es_host:9200'
# Elasticsearch SSL settings:
- elasticsearch.ssl.enabled=true
- elasticsearch.ssl.certificate=/opt/certs_ssl/node01/node01.crt
- elasticsearch.ssl.certificate_authority=/opt/certs_ssl/ca/ca.crt
- elasticsearch.ssl.key=/opt/certs_ssl/node01/node01.key
- elasticsearch.ssl.key_passphrase=
- elasticsearch.ssl.verify=true
But when running WS, i'm getting this error
Attaching to workplace-7.9.2
workplace-7.9.2 | Found java executable in PATH
workplace-7.9.2 | Java version detected: 1.8.0_252 (major version: 8)
workplace-7.9.2 | Enterprise Search is starting...
workplace-7.9.2 |
workplace-7.9.2 | --------------------------------------------------------------------------------
workplace-7.9.2 |
workplace-7.9.2 | Invalid config file (/usr/share/enterprise-search/config/enterprise-search.yml):
workplace-7.9.2 | The setting '#/elasticsearch/ssl/key' is not valid: error reading file '/opt/certs_ssl/node01/node01.key'
workplace-7.9.2 |
workplace-7.9.2 | --------------------------------------------------------------------------------
workplace-7.9.2 |
What format i should use for ssl key ?
Thanks you for your help
Sean_Story
(Sean Story)
September 25, 2020, 3:32pm
2
Something isn't lined up between your configuration and your error message. Your docker environment has:
- elasticsearch.ssl.key=/opt/certs_ssl/node01/node01.key
but the error says: The setting '#/elasticsearch/ssl/key' is not valid: error reading file '/opt/certs_ssl/ca/ca.key'
Is it possible that you've accidentally set a path to a key file that does not exist?
ylasri
(Yassine LASRI)
September 25, 2020, 3:42pm
3
Sorry, this was just a typo when writing this discussion
here is my docker-compose.yml and the original eror
Attaching to workplace-7.9.2
workplace-7.9.2 | Found java executable in PATH
workplace-7.9.2 | Java version detected: 1.8.0_252 (major version: 8)
workplace-7.9.2 | Enterprise Search is starting...
workplace-7.9.2 |
workplace-7.9.2 | --------------------------------------------------------------------------------
workplace-7.9.2 |
workplace-7.9.2 | Invalid config file (/usr/share/enterprise-search/config/enterprise-search.yml):
workplace-7.9.2 | The setting '#/elasticsearch/ssl/key' is not valid: error reading file '/opt/certs_ssl/node01/node01.key'
workplace-7.9.2 |
workplace-7.9.2 | --------------------------------------------------------------------------------
workplace-7.9.2 |
[root@51-158-22-215]# more docker-compose.yml
version: '3.8'
services:
workplace:
image: docker.elastic.co/enterprise-search/enterprise-search:7.9.2
container_name: workplace-7.9.2
restart: always
environment:
- elasticsearch.host='https://ip_host:9200'
# Elasticsearch SSL settings:
- elasticsearch.ssl.enabled=true
- elasticsearch.ssl.certificate=/opt/certs_ssl/node01/node01.crt
- elasticsearch.ssl.certificate_authority=/opt/certs_ssl/ca/ca.crt
- elasticsearch.ssl.key=/opt/certs_ssl/node01/node01.key
- elasticsearch.ssl.key_passphrase=
- elasticsearch.ssl.verify=false
- ent_search.auth.source=standard
- elasticsearch.username=elastic
- elasticsearch.password=changeme
- allow_es_settings_modification=true
# Use=openssl rand -hex 32
- secret_management.encryption_keys=['key']
- secret_session_key=key
- ent_search.external_url=https://ip:3002
- ent_search.listen_host=ip
- ent_search.listen_port=3002
- email.account.enabled=true
- email.account.smtp.auth=plain
- email.account.smtp.starttls.enable=true
- email.account.smtp.host=smtp.gmail.com
- email.account.smtp.port=587
- email.account.smtp.user=from@gmail.com
- email.account.smtp.password=changeme
- email.account.email_defaults.from=from@gmail.com
# Configure TLS/SSL encryption.
- ent_search.ssl.enabled=true
- ent_search.ssl.keystore.path=/opt/certs_ssl/node01/node01.key
- ent_search.ssl.keystore.password=
#- ent_search.ssl.keystore.key_password=
#- ent_search.ssl.redirect_http_from_port=
ports:
- 3002:3002
network_mode: "host"
volumes:
data:
driver: local
Sean_Story
(Sean Story)
September 25, 2020, 3:48pm
4
Ok great. Can you actually ssh into that docker container and validate that there's a file at /opt/certs_ssl/node01/node01.key
and that its permissions are such that the Enterprise Search process can read it? The error is literally that Enterprise Search can't do a File.read('/opt/certs_ssl/node01/node01.key')
.
ylasri
(Yassine LASRI)
September 25, 2020, 3:55pm
5
Thanks for the hint, looks like o forgot to map the volume
I added this part into my docker-compose.yml
volumes:
- /opt/certs_ssl:/opt/certs_ssl
Now it's working
Attaching to workplace-7.9.2
workplace-7.9.2 | Found java executable in PATH
workplace-7.9.2 | Java version detected: 1.8.0_252 (major version: 8)
workplace-7.9.2 | Enterprise Search is starting...
workplace-7.9.2 | [2020-09-25T15:37:50.423+00:00][1][2002][app-server][INFO]: Enterprise Search version=7.9.2, JRuby version=9.2.9.0, Ruby version=2.5.7, Rails version=4.2.11.3
workplace-7.9.2 | [2020-09-25T15:37:51.063+00:00][1][2002][app-server][INFO]: Successfully connected to Elasticsearch
workplace-7.9.2 | [2020-09-25T15:38:03.756+00:00][1][2002][app-server][INFO]: [db_lock] [installation] Status: [Starting] Ensuring migrations tracking index exists
workplace-7.9.2 | [2020-09-25T15:38:03.951+00:00][1][2002][app-server][INFO]: [db_lock] [installation] Status: [Finished] Ensuring migrations tracking index exists
workplace-7.9.2 | [2020-09-25T15:38:04.922+00:00][1][2002][app-server][INFO]: Creating/updating Enterprise Search indices
1 Like