I installed Elasticsearch cluster on my own servers. it has a couple of certificates like http_ca.crt
m http.p12
and transport.p12
in its certs folder.
These certificate installed on server by Elasticsearch.
look at configuration:
xpack.security.transport.ssl:
enabled: true
keystore.path: certs/http.p12
Now, I want to connect to my Elasticsearch from different sources such as Jaeger. but I dont know how to serve correct certificate to established connection securely. Actually I dont know about the certificates. I dont know which of them is for client and which of them is for server.
I tried to disable tls verification but this option is not available in all issues.
There are two types of certificates in Elasticsearch.
Intranode certificates (transport) can be generated with
bin/elasticsearch-certutil ca
ENTER ENTER
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
ENTER ENTER ENTER
and these can be set in elasticsearch.yml
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
You can use the same certificates as client certificates. Then you need to add:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.client_authentication: optional
Here is a nice source: https://www.elastic.co/blog/elasticsearch-security-configure-tls-ssl-pki-authentication
This is also worth to read: https://discuss.elastic.co/t/generates-self-signed-client-certificates-not-server-certificates-for-elasticsearch-clients/352182