SSL authentication certificates

Security
1

Hi All,

I see in documentation for SSL and transport layer authentication we should need following certs

  • Elasticsearch admin
  • Elasticsearch node
  • Kibana node
  • Certificate authority

I see in elesticsearch.yml we have configured node and CA cert using following :

opendistro_security.ssl.transport.pemcert_filepath: esnode.pem
opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.http.pemcert_filepath: esnode.pem
opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem

and for admin only configuration i see in this
opendistro_security.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

Now Question are

  1. How and where do we configure admin cert and key in elasticsearch configuration?
  2. How can we define admin role while creating cert?
  3. How can I create 2 different type of cert , one for node and one for admin role.
    Thanks
2

Any one please able to help me here?

3

May be this will help:

elasticsearch.yml:
cluster.name: “k8s-logs”
network.host: 0.0.0.0
opendistro_security.ssl.transport.pemcert_filepath: node.pem
opendistro_security.ssl.transport.pemkey_filepath: node-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: node.pem
opendistro_security.ssl.http.pemkey_filepath: node-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
- ‘CN=admin,O=LONUS,L=NewYork,C=US’
opendistro_security.nodes_dn:
- ‘CN=.elasticsearch,O=LON,L=London,C=DE’
- ‘CN=kibana,O=LON,L=London,C=DE’
- 'CN=,O=LON,L=London,C=DE’
- ‘CN=k8s-logs*’
- ‘/CN=.*regex/’
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3

volumeMounts:
mountPath: /usr/share/elasticsearch/config/admin.pem
mountPath: /usr/share/elasticsearch/config/admin-key.pem
mountPath: /usr/share/elasticsearch/config/node.pem
mountPath: /usr/share/elasticsearch/config/node-key.pem
mountPath: /usr/share/elasticsearch/config/root-ca.pem
mountPath: /usr/share/elasticsearch/config/root-ca-key.pem
mountPath: /usr/share/elasticsearch/config/elasticsearch.yml

certificates:
openssl genrsa -out admin-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
openssl req -days 3650 -new -key admin-key.pem -out admin.csr -subj “/C=US/L=NewYork/O=LONUS/CN=admin”
openssl x509 -req -days 3650 -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem
openssl genrsa -out node-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-key.pem
openssl req -days 3650 -new -key node-key.pem -out node.csr -subj “/C=DE/L=London/O=LON/CN=*.elasticsearch”
openssl x509 -req -days 3650 -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem
openssl genrsa -out kibana-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in kibana-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out kibana-key.pem
openssl req -days 3650 -new -key kibana-key.pem -out kibana.csr -subj “/C=DE/L=London/O=LON/CN=kibana”
openssl x509 -req -days 3650 -in kibana.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out kibana.pem

1 Like
4

Hi IIauber,
I followed your steps for creating the certs/keys but when I start my nodes I am getting the following error message:

[2020-05-11T14:14:12,030][ERROR][c.a.o.s.t.OpenDistroSecurityRequestHandler] [opendistro_es01] ElasticsearchException[Illegal parameter in http or transport request found.
This means that one node is trying to connect to another with
a non-node certificate (no OID or security.nodes_dn incorrect configured) or that someone
is spoofing requests. Check your TLS certificate setup as described here: See Troubleshoot TLS - Open Distro Documentation]

elasticsearch.yml:

cluster.name: opendistro-elk
node:
name: ${HOSTNAME}
master: true
data: true
ingest: false
path:
data: /var/lib/elasticsearch
logs: /var/log/elasticsearch
bootstrap.memory_lock: true
network.host: 0.0.0.0
discovery.seed_hosts: [“opendistro_es02”, “opendistro_es03”]
cluster.initial_master_nodes: [“opendistro_es02”, “opendistro_es03”]
opendistro_security.ssl.transport.pemcert_filepath: myelk-node.pem
opendistro_security.ssl.transport.pemkey_filepath: myelk-node-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: myelkrootca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: myelk-node.pem
opendistro_security.ssl.http.pemkey_filepath: myelk-node-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: myelkrootca.pem
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
-‘CN=admin,O=Home,L=Maryland,C=US’
opendistro_security.nodes_dn:
-‘CN=.elasticsearch,O=Home,L=Maryland,C=US’
-‘CN=kibana,O=Home,L=Maryland,C=US’
-‘CN=,O=Home,L=Maryland,C=US’
-‘CN=opendistro-elk*’
-‘/CN=.*regex/’
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.audit.config.disabled_rest_categories: NONE
opendistro_security.audit.config.disabled_transport_categories: NONE
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3

volumeMounts:

/etc/elasticsearch/admin.pem
/etc/elasticsearch/admin-key.pem
/etc/elasticsearch/myelk-node.pem
/etc/elasticsearch/myelk-node-key.pem
/etc/elasticsearch/myelkrootca.pem
/etc/elasticsearch/myelkrootca-key.pem

Would you happen to know how to resolve this issue?

5

Hello,

I used this script to generate the certificates:

#!/bin/bash

echo “**********”

echo “* Root CA”

openssl genrsa -out root-ca-key.pem 2048"

openssl req -days 3650 -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -subj “/C=DE/L=Berlin/O=Company/CN=root-ca”’

echo “**********”

echo “* Admin cert”

echo “create: admin-key-temp.pem”

openssl genrsa -out admin-key-temp.pem 2048

echo “create: admin-key.pem”

openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem

echo “create: admin.csr”

openssl req -days 3650 -new -key admin-key.pem -out admin.csr -subj “/C=US/L=NewYork/O=CompanyUS/CN=admin”

echo “create: admin.pem”

openssl x509 -req -days 3650 -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem

echo “**********”

echo “* Node cert”

echo “create: node-key-temp.pem”

openssl genrsa -out node-key-temp.pem 2048

echo “create: node-key.pem”

openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-key.pem

echo “create: node.csr”

openssl req -days 3650 -new -key node-key.pem -out node.csr -subj “/C=DE/L=Berlin/O=Company/CN=*.elasticsearch”

echo “create: node.pem”

openssl x509 -req -days 3650 -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem

echo “**********”

echo “* Kibana cert”

echo “create: kibana-key-temp.pem”

openssl genrsa -out kibana-key-temp.pem 2048

echo “create: kibana-key.pem”

openssl pkcs8 -inform PEM -outform PEM -in kibana-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out kibana-key.pem

echo “create: kibana.csr”

openssl req -days 3650 -new -key kibana-key.pem -out kibana.csr -subj “/C=DE/L=Berlin/O=Company/CN=kibana”

echo “create: kibana.pem”

openssl x509 -req -days 3650 -in kibana.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out kibana.pem

echo “*** Ende ***”

And here is my Elasticsearch.yml:

cluster.name: “k8s-logs”

network.host: 0.0.0.0

path.repo: [“/var/nfs”]

opendistro_security.ssl.transport.pemcert_filepath: node.pem

opendistro_security.ssl.transport.pemkey_filepath: node-key.pem

opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem

opendistro_security.ssl.transport.enforce_hostname_verification: false

opendistro_security.ssl.http.enabled: true

opendistro_security.ssl.http.pemcert_filepath: node.pem

opendistro_security.ssl.http.pemkey_filepath: node-key.pem

opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem

#opendistro_security.allow_unsafe_democertificates: true

opendistro_security.allow_default_init_securityindex: true

opendistro_security.authcz.admin_dn:

  • ‘CN=admin,O=CompanyUS,L=NewYork,C=US’

opendistro_security.nodes_dn:

  • ‘CN=*.elasticsearch,O=Company,L=Berlin,C=DE’

  • ‘CN=kibana,O=Company,L=Berlin,C=DE’

  • ‘CN=*,O=Company,L=Berlin,C=DE’

  • ‘CN=k8s-logs*’

  • ‘/CN=.*regex/’

opendistro_security.audit.type: internal_elasticsearch

opendistro_security.enable_snapshot_restore_privilege: true

opendistro_security.check_snapshot_restore_write_privileges: true

opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]

cluster.routing.allocation.disk.threshold_enabled: false

node.max_local_storage_nodes: 3

For test environments you can use the demo certificates (already included in the docker image).

Btw: OpenIDconnect is sill not working.

Best regards

Lorenz

6

Hello,

maybe your CN in your certificates is different from the hostname you used for the Elasticsearch node.

Best regards

Lorenz

7

@ashishpatil09 @feedy Did you get this resolved?