Is there any way to use single pem file for elastic search instead of keystore and trustore files.

Udit_Verma · October 31, 2017, 6:52am

Search Guard and Elasticsearch version: 5.5.2

here is what I tried in my elasticsearch.yml

path:
  logs: /tmp
  conf: /usr/share/elasticsearch/config

cluster.name: ${CLUSTER_NAME}

node:
  name: ${NODE_NAME}
  master: ${NODE_MASTER}
  data: ${NODE_DATA}
  ingest: ${NODE_INGEST}

discovery.zen:
  minimum_master_nodes: ${MINIMUM_MASTER_NODES}
  ping.unicast.hosts: ${HOSTS}
network.host: ${NETWORK_HOST}

http:
  enabled: ${HTTP_ENABLE}
  compression: true
  cors:
    enabled: ${HTTP_CORS_ENABLE}
    allow-origin: ${HTTP_CORS_ALLOW_ORIGIN}

searchguard:
    ssl.transport:
        enabled: true
        enable_openssl_if_available: true
        pemkey_filepath: searchguard/ssl/elastic.key.pem
        pemcert_filepath: searchguard/ssl/elastic.crtfull.pem
        enforce_hostname_verification: false
    ssl.http:
        enabled: ${HTTP_SSL}
        # clientauth_mode: REQUIRE
        clientauth_mode: OPTIONAL
        enable_openssl_if_available: true
        pemkey_filepath: searchguard/ssl/elastic.key.pem
        pemcert_filepath: searchguard/ssl/elastic.crtfull.pem
        enforce_hostname_verification: false
    authcz.admin_dn:
      - "CN=elastic ,OU=devops, C=COM"

kibana.yml

server.port: 5601
server.host: ‘0.0.0.0’
elasticsearch.url: ‘http://elasticsearch:9200’
elasticsearch.username: “elastic”
elasticsearch.password: “changeme”
searchguard.cookie.password: “defaultcookie”
elasticsearch.ssl.verificationMode: “certificate”
elasticsearch.requestHeadersWhitelist: [ “authorization”, “x-forwarded-for”, “x-forwarded-by”, “x-proxy-user”, “x-proxy-roles” ]```

searchguard_google_group · October 31, 2017, 9:26am

Sorry, did not get you fully:
Do you mean a single pem file which contains the certificate and the key as well?
Currently this is not possible, you need to set pemtrustedcas_filepath, pemkey_filepath and pemcert_filepath

In you example below the is "searchguard.ssl.transport.pemtrustedcas_filepath" missing.
An in kibana yml you may want to use https://elasticsearch:9200 instead of http://elasticsearch:9200

···

Am 31.10.2017 um 07:52 schrieb Udit Verma <udit.verma@srijan.net>:

* Search Guard and Elasticsearch version: 5.5.2

here is what I tried in my elasticsearch.yml
path:
  logs: /tmp
  conf: /usr/share/elasticsearch/config

cluster.name: ${CLUSTER_NAME}

node:
  name: ${NODE_NAME}
  master: ${NODE_MASTER}
  data: ${NODE_DATA}
  ingest: ${NODE_INGEST}

discovery.zen:
  minimum_master_nodes: ${MINIMUM_MASTER_NODES}
  ping.unicast.hosts: ${HOSTS}
network.host: ${NETWORK_HOST}

http:
  enabled: ${HTTP_ENABLE}
  compression: true
  cors:
    enabled: ${HTTP_CORS_ENABLE}
    allow-origin: ${HTTP_CORS_ALLOW_ORIGIN}

searchguard:
    ssl.transport:
        enabled: true
        enable_openssl_if_available: true
        pemkey_filepath: searchguard/ssl/elastic.key.pem
        pemcert_filepath: searchguard/ssl/elastic.crtfull.pem
        enforce_hostname_verification: false
    ssl.http:
        enabled: ${HTTP_SSL}
        # clientauth_mode: REQUIRE
        clientauth_mode: OPTIONAL
        enable_openssl_if_available: true
        pemkey_filepath: searchguard/ssl/elastic.key.pem
        pemcert_filepath: searchguard/ssl/elastic.crtfull.pem
        enforce_hostname_verification: false
    authcz.admin_dn:
      - "CN=elastic ,OU=devops, C=COM"
kibana.yml
```
server.port: 5601
server.host: '0.0.0.0'
elasticsearch.url: 'http://elasticsearch:9200'
elasticsearch.username: "elastic"
elasticsearch.password: "changeme"
searchguard.cookie.password: "defaultcookie"
elasticsearch.ssl.verificationMode: "certificate"
elasticsearch.requestHeadersWhitelist: [ "authorization", "x-forwarded-for", "x-forwarded-by", "x-proxy-user", "x-proxy-roles" ]```

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/1e8187fc-0728-4fd3-a262-66ac80ee259a%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

Udit_Verma · October 31, 2017, 9:57am

Yes I did add a key and cert separately,
searchguard:
ssl.transport:
pemkey_filepath: searchguard/ssl/elastic.key.
pemcert_filepath: searchguard/ssl/elastic.crtfull.pem

``

as a setting, still Elasticsearch wasn’t able to start.
Do I need to add anything else…?

jkressin · November 1, 2017, 7:11pm

As posted above, you need to set pemtrustedcas_filepath as well.

···

On Tuesday, October 31, 2017 at 10:57:12 AM UTC+1, Udit Verma wrote:

Yes I did add a key and cert separately,
searchguard:
ssl.transport:
pemkey_filepath: searchguard/ssl/elastic.key.
pemcert_filepath: searchguard/ssl/elastic.crtfull.pem

``

as a setting, still Elasticsearch wasn’t able to start.
Do I need to add anything else…?

Topic		Replies	Views
How to Configure Searchguard on Elasticsearch Cluster with multiple nodes Search Guard	1	1141	February 11, 2019
Empty file path for searchguard.ssl.transport.pemkey_filepath Search Guard	4	1688	March 6, 2019
Unable to do Cross Cluster Search Search Guard	6	1406	February 8, 2019
Node clients with Letsencrypt certs isn't working.. Any help? Search Guard	6	602	January 16, 2019
Elasticsearch failed to start after installing searchguard along with valid certificates Search Guard	4	541	April 3, 2018

Is there any way to use single pem file for elastic search instead of keystore and trustore files.

Related Topics