WARNING: Version 6.2 of Elasticsearch has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Starting with version 6.0.0, X-Pack security (Gold, Platinum or Enterprise subscriptions) requires SSL/TLS encryption for the transport networking layer.
This section demonstrates an easy path to get started with SSL/TLS for both
HTTPS and transport using the elasticsearch-platinum
docker image.
For further details, please refer to Encrypting Communications and available subscriptions.
Install Elasticsearch with Docker.
Inside a new, empty, directory create the following four files:
instances.yml
:
instances: - name: es01 dns: - es01 - localhost ip: - 127.0.0.1 - name: es02 dns: - es02 - localhost ip: - 127.0.0.1
.env
:
The path, inside the Docker image, where certificates are expected to be found. |
|
Initial password for the |
version: '2.2' services: create_certs: container_name: create_certs image: docker.elastic.co/elasticsearch/elasticsearch-platinum:6.2.4 command: > bash -c ' if [[ ! -d config/x-pack/certificates/certs ]]; then mkdir config/x-pack/certificates/certs; fi; if [[ ! -f /local/certs/bundle.zip ]]; then bin/x-pack/certgen --silent --in config/x-pack/certificates/instances.yml --out config/x-pack/certificates/certs/bundle.zip; unzip config/x-pack/certificates/certs/bundle.zip -d config/x-pack/certificates/certs; fi; chgrp -R 0 config/x-pack/certificates/certs ' user: ${UID:-1000} working_dir: /usr/share/elasticsearch volumes: ['.:/usr/share/elasticsearch/config/x-pack/certificates']
version: '2.2' services: es01: container_name: es01 image: docker.elastic.co/elasticsearch/elasticsearch-platinum:6.2.4 environment: - node.name=es01 - discovery.zen.minimum_master_nodes=2 - ELASTIC_PASSWORD=$ELASTIC_PASSWORD - "ES_JAVA_OPTS=-Xms512m -Xmx512m" - xpack.security.http.ssl.enabled=true - xpack.security.transport.ssl.enabled=true - xpack.security.transport.ssl.verification_mode=certificate - xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt - xpack.ssl.certificate=$CERTS_DIR/es01/es01.crt - xpack.ssl.key=$CERTS_DIR/es01/es01.key volumes: ['esdata_01:/usr/share/elasticsearch/data', './certs:$CERTS_DIR'] ports: - 9200:9200 healthcheck: test: curl --cacert $CERTS_DIR/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi interval: 30s timeout: 10s retries: 5 es02: container_name: es02 image: docker.elastic.co/elasticsearch/elasticsearch-platinum:6.2.4 environment: - node.name=es02 - discovery.zen.minimum_master_nodes=2 - ELASTIC_PASSWORD=$ELASTIC_PASSWORD - discovery.zen.ping.unicast.hosts=es01 - "ES_JAVA_OPTS=-Xms512m -Xmx512m" - xpack.security.http.ssl.enabled=true - xpack.security.transport.ssl.enabled=true - xpack.security.transport.ssl.verification_mode=certificate - xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt - xpack.ssl.certificate=$CERTS_DIR/es02/es02.crt - xpack.ssl.key=$CERTS_DIR/es02/es02.key volumes: ['esdata_02:/usr/share/elasticsearch/data', './certs:$CERTS_DIR'] wait_until_ready: image: docker.elastic.co/elasticsearch/elasticsearch-platinum:6.2.4 command: /usr/bin/true depends_on: {"es01": {"condition": "service_healthy"}} volumes: {"esdata_01": {"driver": "local"}, "esdata_02": {"driver": "local"}}
Bootstrap |
|
Disable verification of authenticity for inter-node communication. Allows creating self-signed certificates without having to pin specific internal IP addresses. |
-
Generate the certificates (only needed once):
docker-compose -f create-certs.yml up
-
Start two Elasticsearch nodes configured for SSL/TLS:
docker-compose up -d
-
Access the Elasticsearch API over SSL/TLS using the bootstrapped password:
curl --cacert certs/ca/ca.crt -u elastic:PleaseChangeMe https://localhost:9200
-
The
setup-passwords
tool can also be used to generate random passwords for all users:Windows users not running PowerShell will need to remove
\
and join lines in the snippet below.docker exec es01 /bin/bash -c "bin/x-pack/setup-passwords \ auto --batch \ -Expack.ssl.certificate=x-pack/certificates/es01/es01.crt \ -Expack.ssl.certificate_authorities=x-pack/certificates/ca/ca.crt \ -Expack.ssl.key=x-pack/certificates/es01/es01.key \ --url https://localhost:9200"