Hi,
after I stranded to get custom certificates created and configured using opendistro docs https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/generate-certificates/
To successfully create ones, I went over to the Searchguard documentation and used their Java based offline cert creator tool sgtlstool (Offline TLS Tool | Security for Elasticsearch | Search Guard also available as online version Online TLS Generator | Security for Elasticsearch | Search Guard), this finally worked for me.
Steps
After modifying the ‘config/example.yml’ all the certs can be created at once:
search-guard-tlstool-1.7$ tools/sgtlstool.sh -c config/example.yml -ca -crt -v -o
Another benefit is that you get the config snippets as well
odfe-node1_elasticsearch_config_snippet.yml
# This is a configuration snippet for the node odfe-node1
# This snippet needs to be inserted into the file config/elasticsearch.yml of the respective node.
# If the config file already contains SearchGuard configuration, this needs to be replaced.
# Furthermore, you need to copy the files referenced below into the same directory.
# Please refer to http://docs.search-guard.com/latest/configuring-tls for further configuration of your installation.
searchguard.ssl.transport.pemcert_filepath: odfe-node1.pem
searchguard.ssl.transport.pemkey_filepath: odfe-node1.key
searchguard.ssl.transport.pemkey_password: thissupposedtobeakeypassword
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: odfe-node1_http.pem
searchguard.ssl.http.pemkey_filepath: odfe-node1_http.key
searchguard.ssl.http.pemkey_password: thissupposedtobeakeypassword
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.nodes_dn:
- CN=*.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
searchguard.authcz.admin_dn:
- CN=admin.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
The config snippet just requires a small modification to work for opendistro, so everything starting with
searchguard.ssl.
has to be replaced by
opendistro_security.ssl.
on linux (GNU sed)
sed -i -- 's/searchguard./opendistro_security./g' *_elasticsearch_config_snippet.yml
on macos (non GNU sed) it is
sed -i '' -e 's/searchguard./opendistro_security./g' *_elasticsearch_config_snippet.yml
sgtlstool fork?
My question to the ODFE team is if this great opensource tool search-guard-tlstool can be forked and modified and included in opendistro → GitHub - floragunncom/search-guard-tlstool: SSL/TLS offline certificate generation and validation tool for Search Guard
changing a few JSON properties in following file should be sufficient:
src/main/java/com/floragunn/searchguard/tools/util/EsNodeConfig.java
thanks,
nean