- Search Guard and Elasticsearch version: 5.5.2
here is what I tried in my elasticsearch.yml
path:
logs: /tmp
conf: /usr/share/elasticsearch/config
cluster.name: ${CLUSTER_NAME}
node:
name: ${NODE_NAME}
master: ${NODE_MASTER}
data: ${NODE_DATA}
ingest: ${NODE_INGEST}
discovery.zen:
minimum_master_nodes: ${MINIMUM_MASTER_NODES}
ping.unicast.hosts: ${HOSTS}
network.host: ${NETWORK_HOST}
http:
enabled: ${HTTP_ENABLE}
compression: true
cors:
enabled: ${HTTP_CORS_ENABLE}
allow-origin: ${HTTP_CORS_ALLOW_ORIGIN}
searchguard:
ssl.transport:
enabled: true
enable_openssl_if_available: true
pemkey_filepath: searchguard/ssl/elastic.key.pem
pemcert_filepath: searchguard/ssl/elastic.crtfull.pem
enforce_hostname_verification: false
ssl.http:
enabled: ${HTTP_SSL}
# clientauth_mode: REQUIRE
clientauth_mode: OPTIONAL
enable_openssl_if_available: true
pemkey_filepath: searchguard/ssl/elastic.key.pem
pemcert_filepath: searchguard/ssl/elastic.crtfull.pem
enforce_hostname_verification: false
authcz.admin_dn:
- "CN=elastic ,OU=devops, C=COM"
kibana.yml
server.port: 5601
server.host: ‘0.0.0.0’
elasticsearch.url: ‘http://elasticsearch:9200’
elasticsearch.username: “elastic”
elasticsearch.password: “changeme”
searchguard.cookie.password: “defaultcookie”
elasticsearch.ssl.verificationMode: “certificate”
elasticsearch.requestHeadersWhitelist: [ “authorization”, “x-forwarded-for”, “x-forwarded-by”, “x-proxy-user”, “x-proxy-roles” ]```
Sorry, did not get you fully:
Do you mean a single pem file which contains the certificate and the key as well?
Currently this is not possible, you need to set pemtrustedcas_filepath, pemkey_filepath and pemcert_filepath
In you example below the is "searchguard.ssl.transport.pemtrustedcas_filepath" missing.
An in kibana yml you may want to use https://elasticsearch:9200 instead of http://elasticsearch:9200
···
Am 31.10.2017 um 07:52 schrieb Udit Verma <udit.verma@srijan.net>:
* Search Guard and Elasticsearch version: 5.5.2
here is what I tried in my elasticsearch.yml
path:
logs: /tmp
conf: /usr/share/elasticsearch/config
cluster.name: ${CLUSTER_NAME}
node:
name: ${NODE_NAME}
master: ${NODE_MASTER}
data: ${NODE_DATA}
ingest: ${NODE_INGEST}
discovery.zen:
minimum_master_nodes: ${MINIMUM_MASTER_NODES}
ping.unicast.hosts: ${HOSTS}
network.host: ${NETWORK_HOST}
http:
enabled: ${HTTP_ENABLE}
compression: true
cors:
enabled: ${HTTP_CORS_ENABLE}
allow-origin: ${HTTP_CORS_ALLOW_ORIGIN}
searchguard:
ssl.transport:
enabled: true
enable_openssl_if_available: true
pemkey_filepath: searchguard/ssl/elastic.key.pem
pemcert_filepath: searchguard/ssl/elastic.crtfull.pem
enforce_hostname_verification: false
ssl.http:
enabled: ${HTTP_SSL}
# clientauth_mode: REQUIRE
clientauth_mode: OPTIONAL
enable_openssl_if_available: true
pemkey_filepath: searchguard/ssl/elastic.key.pem
pemcert_filepath: searchguard/ssl/elastic.crtfull.pem
enforce_hostname_verification: false
authcz.admin_dn:
- "CN=elastic ,OU=devops, C=COM"
kibana.yml
```
server.port: 5601
server.host: '0.0.0.0'
elasticsearch.url: 'http://elasticsearch:9200'
elasticsearch.username: "elastic"
elasticsearch.password: "changeme"
searchguard.cookie.password: "defaultcookie"
elasticsearch.ssl.verificationMode: "certificate"
elasticsearch.requestHeadersWhitelist: [ "authorization", "x-forwarded-for", "x-forwarded-by", "x-proxy-user", "x-proxy-roles" ]```
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/1e8187fc-0728-4fd3-a262-66ac80ee259a%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.
Yes I did add a key and cert separately,
searchguard:
ssl.transport:
pemkey_filepath: searchguard/ssl/elastic.key.
pemcert_filepath: searchguard/ssl/elastic.crtfull.pem
``
as a setting, still Elasticsearch wasn’t able to start.
Do I need to add anything else…?
As posted above, you need to set pemtrustedcas_filepath as well.
···
On Tuesday, October 31, 2017 at 10:57:12 AM UTC+1, Udit Verma wrote:
Yes I did add a key and cert separately,
searchguard:
ssl.transport:
pemkey_filepath: searchguard/ssl/elastic.key.
pemcert_filepath: searchguard/ssl/elastic.crtfull.pem
``
as a setting, still Elasticsearch wasn’t able to start.
Do I need to add anything else…?