Connecting to the ES Server after TLS is enabled

I enabled TLS using opendistro security plugin and made the server up. However, when I try to connect to the server from outside, I am getting timeout error from server. When I look at SSL debug output, I see client is sending Hello. But server is not replying back anything

Do, I need to perform any additional step like enabling 443 port on server? In the server, I don’t see 443 port is listening. I see 9200 and 9300 ports are listening.

Hello @ddramireddy

As per Elasticsearch documentation ports 9200 and 9300 are expected to be opened.

How do you access Elasticsearch? How did you test SSL connection?

I used 2 ways

  1. Using Elastic search REST API to check Cluster health
  2. openssl s_client command.

In both the approaches, I see client is initiating connection. But, server is not responding.

@pablo , Any thoughts on how it connects to TLS based? Do we need to call 443 port or 9200 is enough? I tried both the ports and same behavior is observed in both the cases.

As per docs. 9200-9300 is used for HTTP but also for API communication by default.
Calling 9200 is the best approach to communicate with ES node and cluster.

What type of authentication did you enable in your config.yml file?

I enabled basic authentication and able to call it successfully by skipping ssl cert verification. But If I enable ssl cert verification, I am getting timeout error from server. I don’t see any error in Elastic search logs as well.

I suspect your ES is using self-singed certs. That’s why curl is successful with --insecure option and fails when is not used.

This is not caused by the security plugin but by SSL certs that are used in ES. Also when you curl secured port (HTTPS), be sure that FQDN or IP are in CN or SAN of target’s (ES) SSL certificate.