Hello,
I used this script to generate the certificates:
#!/bin/bash
echo “**********”
echo “* Root CA”
openssl genrsa -out root-ca-key.pem 2048"
openssl req -days 3650 -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -subj “/C=DE/L=Berlin/O=Company/CN=root-ca”’
echo “**********”
echo “* Admin cert”
echo “create: admin-key-temp.pem”
openssl genrsa -out admin-key-temp.pem 2048
echo “create: admin-key.pem”
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
echo “create: admin.csr”
openssl req -days 3650 -new -key admin-key.pem -out admin.csr -subj “/C=US/L=NewYork/O=CompanyUS/CN=admin”
echo “create: admin.pem”
openssl x509 -req -days 3650 -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem
echo “**********”
echo “* Node cert”
echo “create: node-key-temp.pem”
openssl genrsa -out node-key-temp.pem 2048
echo “create: node-key.pem”
openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-key.pem
echo “create: node.csr”
openssl req -days 3650 -new -key node-key.pem -out node.csr -subj “/C=DE/L=Berlin/O=Company/CN=*.elasticsearch”
echo “create: node.pem”
openssl x509 -req -days 3650 -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem
echo “**********”
echo “* Kibana cert”
echo “create: kibana-key-temp.pem”
openssl genrsa -out kibana-key-temp.pem 2048
echo “create: kibana-key.pem”
openssl pkcs8 -inform PEM -outform PEM -in kibana-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out kibana-key.pem
echo “create: kibana.csr”
openssl req -days 3650 -new -key kibana-key.pem -out kibana.csr -subj “/C=DE/L=Berlin/O=Company/CN=kibana”
echo “create: kibana.pem”
openssl x509 -req -days 3650 -in kibana.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out kibana.pem
echo “*** Ende ***”
And here is my Elasticsearch.yml:
cluster.name: “k8s-logs”
network.host: 0.0.0.0
path.repo: [“/var/nfs”]
opendistro_security.ssl.transport.pemcert_filepath: node.pem
opendistro_security.ssl.transport.pemkey_filepath: node-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: node.pem
opendistro_security.ssl.http.pemkey_filepath: node-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
#opendistro_security.allow_unsafe_democertificates: true
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
- ‘CN=admin,O=CompanyUS,L=NewYork,C=US’
opendistro_security.nodes_dn:
-
‘CN=*.elasticsearch,O=Company,L=Berlin,C=DE’
-
‘CN=kibana,O=Company,L=Berlin,C=DE’
-
‘CN=*,O=Company,L=Berlin,C=DE’
-
‘CN=k8s-logs*’
-
‘/CN=.*regex/’
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3
For test environments you can use the demo certificates (already included in the docker image).
Btw: OpenIDconnect is sill not working.
Best regards
Lorenz