Xpack SSL configuartion of organization-specific certificate authority

Elastic Stack Elasticsearch
1

i created a a CSR flle with certgen --csr
send the file to our organization certificate authority got ther cer file
but i don't know how to configure it corrent to work in secure mode.

which trusted certificated i need to get form owr CA , just root certificate or more...

did some configure the ELK with SPECIFIC CA ?

thankS
Avinoam

2

I've moved your question to the X-Pack category as it relates to X-Pack Security.

3

I'm making the following assumptions:

  1. You want to configure SSL for transport communication (communication between the cluster's nodes) and for HTTP (the REST interface for clients).
  2. You're using a single certificate for your whole cluster (I assume this based on your use of "a CSR file" above)
  3. The certificate you received from your CA has a Subject Alternative Name for every hostname in your cluster.

Numbers 2 and 3 will also be true if you just have a single node cluster, but in that case you probably don't want to configure SSL for transport communication, and just switch to single node discovery instead.

The instructions below will be a little different if those assumptions are not true.

You need two do 3 things:

  1. Copy your certificate onto your elasticsearch nodes.
  2. Configure your nodes to trust your organization's certificate authority.
  3. Enable TLS.

Copy your certificate onto your elasticsearch nodes.

You need the .cer file from your organization's CA, and you also need the .key file that was produced when you ran certgen.
You need to copy both of those files onto your elasticsearch server, and place them somewhere within your config directory. I recommend placing everything in config/ssl/, but it doesn't really matter as long as it's somewhere within the config directory.
For the sake of this post, I'll assume that you call them config/ssl/elasticsearch.cer and config/ssl/elasticsearch.key, but you should use whatever names are meaningful for you.

Configure your nodes to trust your organization's certificate authority.

Since you are using an organisation wide CA, there's a few options here.
It's possible that your organisation CA is already installed as a trusted CA within your JVM. A lot of organisations run packaging scripts that automatically configure that, but I don't know if that's the case for you.

The simplest, more reliable option is to get copy of the CA certificate in PEM format (something named .cer or .crt or .cert is probably going to be a PEM file) and install a copy in your config/ssl/ directory e.g. as config/ssl/org-ca.cer
Then, in your config/elasticsearch.yml file, you add

xpack.security.transport.ssl.certificate_authorities = [ "ssl/org-ca.cer" ]

X-Pack automatically looks within the "config/" directory, so you don't include the "config/" part of your pathname.

Enable TLS

Assuming you used the pathnames I gave above, you'd want to have something like this in your elasticsearch.yml (on every node)

xpack.ssl.key: ssl/elasticsearch.key
xpack.ssl.certificate: ssl/elasticsearch.cer
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.certificate_authorities = [ "ssl/org-ca.cer" ]
xpack.security.http.ssl.enabled: true

Then do a full cluster restart (i.e. shutdown all the nodes in your cluster, and bring them up again).

Now, SSL should be enabled and you should be able to connect to the cluster over https.

If you are using Kibana, then you will need to make some configuration changes there as well.

4

Thans alot for your professional answer
i'll try it.

5

Hi

it did'nt work ...
this what i put in elasticsearch.yml

xpack.ssl.key: /etc/elasticsearchuat/x-pack/disc_cert/lnxelk01.key
xpack.ssl.certificate: /etc/elasticsearchuat/x-pack/disc_cert/lnxelk01.cer
xpack.ssl.certificate_authorities: [ "/etc/elasticsearchuat/x-pack/disc_cert/HO_ROOT_CA.cer" ,"/etc/elasticsearchuat/x-pack/disc_cert/IntranetIntermidiate.cer" ]

and this what we got in the log

[2017-11-07T15:42:05,302][INFO ][o.e.n.Node ] [uat_1] started
[2017-11-07T15:42:06,452][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [uat_1] http client did not trust this server's certificate, closing connection [id: 0x6a7e470a, L:0.0.0.0/0.0.0.0:9500 ! R:/160.66.1.119:54338]
[2017-11-07T15:42:07,729][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [uat_1] caught exception while handling client http traffic, closing connection [id: 0x2b058ca5, L:0.0.0.0/0.0.0.0:9500 ! R:/160.66.1.119:54341]
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 48454144202f20485454502f312e310d0a486f73743a203136

What could be ther problem ??

Thanks Avinoam

6

The error messages you are receiving are quite explicit:

  • http client did not trust this server's certificate

  • not an SSL/TLS record

In the first case, whatever HTTP client you are using to connect to ES, isn't configured to trust your certificate.
In the second case, the client isn't configured to use https at all.
That's a client problem not an Elasticsearch problem.

What is the client? How has it been configured?

7

Hay
i found the solution after open case in elastic supp.
owr CA create PFX that was with extended keys of SERVER & CLIENT

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.