2

I want to implement xpack security. The below code that I put in elasticsearch.yml. But I get an error that certificate does not exist. I have checked all directories in node, there is no elastic-certificates.p12. How can i solve this ? And how can i implement this ?

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.license.self_generated.type: basic

Thanks for answering

Orkun
  • 492
  • 4
  • 16
  • You specifiy the location and you create the files. Did you follow the [documentation](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup-https.html), take a look at the documentation, the process is explained there. – leandrojmp Apr 15 '21 at 13:42

1 Answers1

4

Above configurations are fine, what you need to do is generate node certificates in order to encrypt the elasticsearch internode communication(TLS - Transport Layer Security). The reason is, by default elasticsearch transfer data in text format(even passwords) which is a poor security practice. Therefore, inter-node communication should be encrypted before enabling Xpack security. This can be achieved by using elasticsearch certutil package. Follow the below steps(not suitable for production only for testing purposes).

  1. Go to elasticsearch 'bin' directory in your terminal.
  2. Execute command ./elasticsearch-certutil ca This will generate a certificate authority in your elasticsearch main directory. When you are asked to enter a filename for your CA, hit "enter" then it'll take the default filename 'elastic-stack-ca.p12'. Then after it'll ask for a password for the CA(Certificate Authority), then again hit "enter".
  3. Now we need to generate a TLS certificate for your elasticsearch instance using above generated CA file. For that, execute ./elasticsearch-certutil cert --ca elastic-stack-ca.p12. when executing this command first, it'll ask for the password of your CA file, then hit 'enter' then after it'll ask for TLS certificate name then again hit 'enter' then it'll take the TLS certificate name as 'elastic-certificates.p12' which is the default name finally it'll ask for a password for the TLS certificate, then again hit 'enter'. Now you will be able see a two new files in your elasticsearch main directory.
  4. Copy the elastic-certificates.p12 file into elasticsearch 'config' directory. If you have multiple elasticsearch nodes copy the same file into each node's 'config' directory.
  5. Now start the elasticsearch instance/s

Please note that above configuration steps are not suitable for production, only for testing... :)

Dhanushka Samarasinghe
  • 80
  • 1
  • 7
  • Thanks for answering. Why it is not suitable for production ? and If I have more nodes should i do same steps for each node ? – Orkun Apr 19 '21 at 06:39
  • 1. The way I have explained above is the minimal way of do it. If you go for production you must add passwords for each certificate you generate otherwise it will be security issue of your cluster. 2. you can either use one node to generate all the certificates or each node's certutil package to generate their LTS certificates. [Follow this link for further details](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup.html#encrypt-internode-communication) – Dhanushka Samarasinghe Apr 19 '21 at 14:38