i am trying to setup basic authentication on elasticsearch. i found it's required to setup SSL certificate also.
Following this article : https://pimwiddershoven.nl/entry/deploy-a-secure-instance-of-elasticsearch-on-kubernetes
Cluster is up and running on Kubernetes using helm
But when sending
curl -H "Authorization: Basic ZWxsdfasdfiojoijQw==" https://localhost:9200
it's giving error like
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
but when sending request using curl insecure
mode or with -k
it's working fine and can see cluster health
it's due to self sign certificate. am i missing anything ?
Official helm chart also suggest same way to generate certificate and add into cluster.
https://github.com/elastic/helm-charts/tree/master/elasticsearch/examples/security
Update :
Elastic.yaml
protocol: https
esConfig:
elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.authc.realms.native.local.order: 0
extraEnvs:
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: elastic-credentials
key: password
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: elastic-credentials
key: username
secretMounts:
- name: elastic-certificates
secretName: elastic-certificates
path: /usr/share/elasticsearch/config/certs
If you are trying to set HTTPS on Kubernetes svc and using it as DNS it won't work without curl -k
or --insecure
Unless and until you don't have proper DNS to and domain name to resolve it won't work you have to use insecure mode only.
use the proper domain name and generate a certificate it will work like charm.
However, for verification you can also do:
curl --cacert $path_to_certificate https://host_ip:9200
Easy Workaround
You can use nginx in front of ES cluster and terminate SSL there and send HTTP request to ES. While your domain till nginx will have HTTPS SSL/TLS.
If you just want basic auth (username/password) with HTTP only
esConfig:
elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12