WARNING: Version 6.1 of Elasticsearch has passed its EOL date.

This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.

« Encrypting Communications in Elasticsearch Enabling Cipher Suites for Stronger Encryption »
Elastic Docs Elasticsearch Reference [6.1] Set up X-Pack Configuring Security in Elasticsearch

Encrypting Communications in an Elasticsearch Docker Image

Encrypting Communications in an Elasticsearch Docker Image

Starting with version 6.0.0, X-Pack security (Gold, Platinum or Enterprise subscriptions) requires SSL/TLS encryption for the transport networking layer.

This section demonstrates an easy path to get started with SSL/TLS for both HTTPS and transport using the elasticsearch-platinum docker image.

For further details, please refer to Encrypting Communications and available subscriptions.

Prepare the environment

Install Elasticsearch with Docker.

Inside a new, empty, directory create the following four files:

instances.yml:

instances:
  - name: es01
    dns:
      - es01 
      - localhost
    ip:
      - 127.0.0.1
  - name: es02
    dns:
      - es02
      - localhost
    ip:
      - 127.0.0.1

Allow use of embedded Docker DNS server names.

.env:

CERTS_DIR=/usr/share/elasticsearch/config/x-pack/certificates 
ELASTIC_PASSWORD=PleaseChangeMe

The path, inside the Docker image, where certificates are expected to be found.

Initial password for the elastic user.

create-certs.yml:

version: '2.2'
services:
  create_certs:
    container_name: create_certs
    image: docker.elastic.co/elasticsearch/elasticsearch-platinum:6.1.4
    command: >
      bash -c '
        if [[ ! -d config/x-pack/certificates/certs ]]; then
          mkdir config/x-pack/certificates/certs;
        fi;
        if [[ ! -f /local/certs/bundle.zip ]]; then
          bin/x-pack/certgen --silent --in config/x-pack/certificates/instances.yml --out config/x-pack/certificates/certs/bundle.zip;
          unzip config/x-pack/certificates/certs/bundle.zip -d config/x-pack/certificates/certs; 
        fi;
        chgrp -R 0 config/x-pack/certificates/certs
      '
    user: ${UID:-1000}
    working_dir: /usr/share/elasticsearch
    volumes: ['.:/usr/share/elasticsearch/config/x-pack/certificates']

The new node certificates and CA certificate+key are placed under the local directory certs.

docker-compose.yml:

version: '2.2'
services:
  es01:
    container_name: es01
    image: docker.elastic.co/elasticsearch/elasticsearch-platinum:6.1.4
    environment:
      - node.name=es01
      - discovery.zen.minimum_master_nodes=2
      - ELASTIC_PASSWORD=$ELASTIC_PASSWORD 
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - xpack.security.http.ssl.enabled=true
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.verification_mode=certificate 
      - xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.ssl.certificate=$CERTS_DIR/es01/es01.crt
      - xpack.ssl.key=$CERTS_DIR/es01/es01.key
    volumes: ['esdata_01:/usr/share/elasticsearch/data', './certs:$CERTS_DIR']
    ports:
      - 9200:9200
    healthcheck:
      test: curl --cacert $CERTS_DIR/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi
      interval: 30s
      timeout: 10s
      retries: 5
  es02:
    container_name: es02
    image: docker.elastic.co/elasticsearch/elasticsearch-platinum:6.1.4
    environment:
      - node.name=es02
      - discovery.zen.minimum_master_nodes=2
      - ELASTIC_PASSWORD=$ELASTIC_PASSWORD
      - discovery.zen.ping.unicast.hosts=es01
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - xpack.security.http.ssl.enabled=true
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.ssl.certificate=$CERTS_DIR/es02/es02.crt
      - xpack.ssl.key=$CERTS_DIR/es02/es02.key
    volumes: ['esdata_02:/usr/share/elasticsearch/data', './certs:$CERTS_DIR']
  wait_until_ready:
    image: docker.elastic.co/elasticsearch/elasticsearch-platinum:6.1.4
    command: /usr/bin/true
    depends_on: {"es01": {"condition": "service_healthy"}}
volumes: {"esdata_01": {"driver": "local"}, "esdata_02": {"driver": "local"}}

Bootstrap elastic with the password defined in .env. See the Elastic Bootstrap Password.

Disable verification of authenticity for inter-node communication. Allows creating self-signed certificates without having to pin specific internal IP addresses.

Run the example

  1. Generate the certificates (only needed once):

    docker-compose -f create-certs.yml up

  2. Start two Elasticsearch nodes configured for SSL/TLS:

    docker-compose up -d

  3. Access the Elasticsearch API over SSL/TLS using the bootstrapped password:

    curl --cacert certs/ca/ca.crt -u elastic:PleaseChangeMe https://localhost:9200

  4. The setup-passwords tool can also be used to generate random passwords for all users:

    Windows users not running PowerShell will need to remove \ and join lines in the snippet below.

    docker exec es01 /bin/bash -c "bin/x-pack/setup-passwords \
auto --batch \
-Expack.ssl.certificate=x-pack/certificates/es01/es01.crt \
-Expack.ssl.certificate_authorities=x-pack/certificates/ca/ca.crt \
-Expack.ssl.key=x-pack/certificates/es01/es01.key \
--url https://localhost:9200"
« Encrypting Communications in Elasticsearch Enabling Cipher Suites for Stronger Encryption »