Hi,
Context -
I have used the example scripts at Sample PKI scripts | Security for Elasticsearch | Search Guard to generate TLS certificates for searchguard.
I deploy ELK via helm charts in kubernetes environment as pods. Earlier, I always generated certs with default OID (from the example script) and things worked fine.
Now, my certificates cannot have an OID field and so, i intend to use the property searchguard.nodes_dn to list the DNs of the nodes.
I am trying to add this property as an environment variable to the elasticsearch pod in the helm chart. Because using the docker-entrypoint.sh (https://github.com/elastic/elasticsearch/blob/7.0/distribution/docker/src/docker/bin/docker-entrypoint.sh), all envs (in a format) get added to es_opts passed to the elasticsearch process.
I have been successful in configuring other searchguard parameters like searchguard.ssl.http.enabled_ciphers too as env to pods and it gets reflected properly.
Issue -
My keystore.jks is something like this - (It contains node certificate and the chain of CAs signing it):
Certificate[1]:
Owner: CN=elasticsearch.shiv1, C=ELK
Issuer: CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
..
Certificate[2]:
Owner: CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
Issuer: CN=elasticsearch. Root CA, DC=elasticsearch
..
Certificate[3]:
Owner: CN=elasticsearch. Root CA, DC=elasticsearch
Issuer: CN=elasticsearch. Root CA, DC=elasticsearch
Now, i am trying to configure nodes_dn as an env in the pods like:
- name: "searchguard.nodes_dn"
value: "CN=elasticsearch.shiv1,C=ELK"
When i check the running process, this property does appear -
elastic+ 70 13 44 05:12 ? 00:00:35 /etc/alternatives/jre_openjdk//bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC ... -Des.path.conf=/etc/elasticsearch -Esearchguard.nodes_dn=CN=elasticsearch.shiv1,C=ELK
But I still get this error in elasticsearch logs and cluster doesnt come up -
“logger”:“c.f.s.t.SearchGuardRequestHandler”,“timezone”:“UTC”,“log”:“ElasticsearchException[Illegal parameter in http or transport request found.
This means that one node is trying to connect to another with
a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someone
> is spoofing requests. Check your TLS certificate setup as described here: See TLS help | Security for Elasticsearch | Search Guard]”}
When i add this parameter to elasticsearch.yml file directly, with the same key value pair, it works fine and cluster formation happens as expected.
Could you help me understand why this particular parameter refuses to get accepted when added as an env? Or if there is a particular way of setting this parameter?
Version info - ELK + searchguard : 7.0.1
Thanks,
Shivani