Search Tutorials


Elasticsearch 8 Tutorial - Configuring Elasticsearch SSL/HTTPS with CA issued Digital Certificate | JavaInUse

Elasticsearch 8 Tutorial - Configuring Elasticsearch SSL/HTTPS with CA issued Digital Certificate

In a previous tutorial we had configured elasticsearch using self signed certificates. In this tutorial we will be configuring elasticsearch using certificate issued by Comodo Cerificate Authority. In the realm of web security, CA (Certificate Authority) certificates stand distinctly apart from self-signed certificates by offering built-in trust from browsers and operating systems, along with verified identity authentication. While self-signed certificates trigger warning messages that can alarm users, CA certificates provide a seamless browsing experience with the reassuring padlock icon. For production environments and public-facing websites, CA certificates are the professional choice, despite their cost, as they deliver both encryption and validated authenticity. Self-signed certificates, though free and adequate for development or testing environments, are limited to providing basic encryption without the crucial element of trust that modern web security demands.

Elasticsearch 8 Security Tutorials

Elasticsearch 8 Security Tutorial - Set password Elasticsearch 8 Security Tutorial - Configuring SSL, TLS, and HTTPS Elasticsearch 8 Security Tutorial - Store credentials using keystore Elasticsearch 8 Tutorial - Configuring Elasticsearch and Kibana with Credentials and SSL Elasticsearch 8 Tutorial - Integrate Azure AD OIDC in Elasticsearch and Kibana Elasticsearch 8 Tutorial - Configuring Elasticsearch SSL/HTTPS with CA issued Digital Certificate

Video

This tutorial is explained in the below Youtube Video.

Install Elasticsearch RPM

On an AWS instance we will be running an instance of elasticsearch. For this we will be downloading the elasticsearch rpm and install it.
Download elasticsearch RPM.
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.16.0-x86_64.rpm

Download elasticsearch RPM.
Install elasticsearch RPM.
sudo rpm --install elasticsearch-8.16.0-x86_64.rpm

Install elasticsearch RPM.
Once installed, start the elasticsearch service.
sudo systemctl start elasticsearch.service

start the elasticsearch service RPM
We can check the status of elasticsearch
sudo systemctl status elasticsearch.service

status of the elasticsearch service RPM




For this AWS machine i have already opened the 9200 port. If we now go to https//ipaddress:9200 which in our case is https://3.135.234.84:9200 we can see that we can access elasticsearch instance.
status of the elasticsearch service RPM
Let us now reset the password for the elasticsearch instance. Go to elasticsearch bin folder and use the command
elasticsearch-reset-password -u elastic --interactive

elasticsearch-reset-password
If we now go again to https://10.13.45:9200 and enter the credentials we can access elasticsearch instance. But we also get certificate warning.
elasticsearch https

elasticsearch https
On this AWS machine I have already configured to run javainuse and the godaddy DNS is pointing to this AWS machine IP address. If we try to access the elasticsearch instance using the javinuse domain name - https://www.javainuse.com:9200 we again get the certificate warning.
elasticsearch https javainuse

Get Certificate from Comodo

We go to Comodo Certificate Website and request the certificate by providing some details like CSR i.e. certificate signing request and after verifying the domain ownership. Comodo has provided me with certificate named www_javainuse_com.p7b in p7b format. I have imported this certificate in a keystore named elastic.jks which we will be making use of for configuring elasticsearch.
I have copied this elastic.jks to the /etc/elasticsearch folder.

Configure elasticsearch with javainuse certificate.

Go to elasticsearch.yml and configure it as follows-
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch

# Enable security features
xpack.security.enabled: true

xpack.security.enrollment.enabled: true

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: true
  keystore.path: elastic.jks


cluster.initial_master_nodes: ["ip-172-31-4-60.us-east-2.compute.internal"]

http.host: 0.0.0.0
Next we will need to remove unnecessary properties from the elasticsearch keystore. Use the elasticsearch keystore list commands to list all the properties.
elasticsearch-keystore list

elasticsearch keystore list
Next delete these properties using the elasticsearch keystore delete command.
elasticsearch-keystore remove xpack.security.http.ssl.keystore.secure_password
elasticsearch-keystore remove xpack.security.transport.ssl.keystore.secure_password
elasticsearch-keystore remove xpack.security.transport.ssl.truststore.secure_password

elasticsearch keystore remove
Also we will be adding the following property to the elasticsearch keystore for configuring the elastic.jks password.
elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

elasticsearch keystore add
If we now go to https:www.javainuse.com:9200 we can access this elasticsearch instance.
elasticsearch comodo certificate

elasticsearch javainuse ssl