XPACK Security in ELK stack 7.1.1

Hi Guys,

I am working with ELK stack 7.1.1 version on kubernetes using image: docker.elastic.co/elasticsearch/elasticsearch:7.1.1
I am facing an issue , when xpack security is enabled on elasticsearch cluster , elasticsearch components fail to start with below error. It says either disable the security or change xpack.security.transport.ssl.enabled to true as i am on basic license.

{"type": "server", "timestamp": "2019-06-03T15:00:26,674+0000", "level": "INFO", "component": "o.e.b.BootstrapChecks", "cluster.name": "opselasticsearch", "node.name": "elasticsearch-master-2", "message": "bound or publishing to a non-loopback address, enforcing bootstrap
checks" }
ERROR: [1] bootstrap checks failed
[1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]

why do i need to enable ssl if i am on basic licsense and xpac security enabled is true.

please help me to understand this.

This is a requirement for ALL licenses that allow ssl (apart from the trial license), not just basic. You need to enable ssl for the transport layer because since you have enabled security, now nodes will start sending data between them that will contain sensitive data such as passwords. If you don't enable SSL, this data is sent between nodes in plaintext


So, this means I have to generate certificates also for this ssl to work, because enabling this ssl property alone to true doesn't help as it looks for certificates and gives handshake failure.

Yes, that is exactly what this mean.

You must configure SSL between nodes in order to enable security.

Can you please give a guide which tells the steps for containerised elk stack. The link above is just for single node and doesn't include all steps.


For a cluster that is running in production mode with a production license, once security is enabled, transport TLS/SSL must also be enabled. On the other hand, if we are running with a trial license, then transport TLS/SSL is not obligatory.

If we are running with a production license and we attempt to start the cluster with security enabled before we have enabled transport TLS/SSL, we will see the following error message:

Transport SSL must be enabled for setups with production licenses. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]

1 Like

Hi @ylasri, this is expected behavior. Is there a question? If so, can you please open a new issue, so that it's clearer for people reading the forums?

Hi @ikakavas I just provided this comment as answer to @sunnynazar issue
In my dev env i change discovery.type to single-node to get thing working quickly

Gotcha, thank you for the clarification and the feedback !

Issue was fixed. thanks @all.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.