Starting with version 6.0.0, {security} (Gold, Platinum or Enterprise subscriptions) requires SSL/TLS encryption for the transport networking layer.
This section demonstrates an easy path to get started with SSL/TLS for both HTTPS and transport using the {es} Docker image. The example uses Docker Compose to manage the containers.
For further details, please refer to {xpack-ref}/encrypting-communications.html[Encrypting Communications] and available subscriptions.
Inside a new, empty directory, create the following four files:
instances.yml
:
instances:
- name: es01
dns:
- es01 (1)
- localhost
ip:
- 127.0.0.1
- name: es02
dns:
- es02
- localhost
ip:
- 127.0.0.1
-
Allow use of embedded Docker DNS server names.
.env
:
CERTS_DIR=/usr/share/elasticsearch/config/certificates (1)
ELASTIC_PASSWORD=PleaseChangeMe (2)
-
The path, inside the Docker image, where certificates are expected to be found.
-
Initial password for the
elastic
user.
create-certs.yml
:
version: '2.2'
services:
create_certs:
container_name: create_certs
image: {docker-image}
command: >
bash -c '
if [[ ! -d config/certificates/certs ]]; then
mkdir config/certificates/certs;
fi;
if [[ ! -f /local/certs/bundle.zip ]]; then
bin/elasticsearch-certgen --silent --in config/certificates/instances.yml --out config/certificates/certs/bundle.zip;
unzip config/certificates/certs/bundle.zip -d config/certificates/certs; <1>
fi;
chgrp -R 0 config/certificates/certs
'
user: $\{UID:-1000\}
working_dir: /usr/share/elasticsearch
volumes: ['.:/usr/share/elasticsearch/config/certificates']
-
The new node certificates and CA certificate+key are placed under the local directory
certs
.
docker-compose.yml
:
version: '2.2'
services:
es01:
container_name: es01
image: {docker-image}
environment:
- node.name=es01
- discovery.zen.minimum_master_nodes=2
- ELASTIC_PASSWORD=$ELASTIC_PASSWORD <1>
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- xpack.license.self_generated.type=trial <2>
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate <3>
- xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.ssl.certificate=$CERTS_DIR/es01/es01.crt
- xpack.ssl.key=$CERTS_DIR/es01/es01.key
volumes: ['esdata_01:/usr/share/elasticsearch/data', './certs:$CERTS_DIR']
ports:
- 9200:9200
healthcheck:
test: curl --cacert $CERTS_DIR/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi
interval: 30s
timeout: 10s
retries: 5
es02:
container_name: es02
image: {docker-image}
environment:
- node.name=es02
- discovery.zen.minimum_master_nodes=2
- ELASTIC_PASSWORD=$ELASTIC_PASSWORD
- discovery.zen.ping.unicast.hosts=es01
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- xpack.license.self_generated.type=trial
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.ssl.certificate=$CERTS_DIR/es02/es02.crt
- xpack.ssl.key=$CERTS_DIR/es02/es02.key
volumes: ['esdata_02:/usr/share/elasticsearch/data', './certs:$CERTS_DIR']
wait_until_ready:
image: {docker-image}
command: /usr/bin/true
depends_on: {"es01": {"condition": "service_healthy"}}
volumes: {"esdata_01": {"driver": "local"}, "esdata_02": {"driver": "local"}}
-
Bootstrap
elastic
with the password defined in.env
. See {stack-ov}/built-in-users.html#bootstrap-elastic-passwords[the Elastic Bootstrap Password]. -
Automatically generate and apply a trial subscription, in order to enable {security}.
-
Disable verification of authenticity for inter-node communication. Allows creating self-signed certificates without having to pin specific internal IP addresses.
-
Generate the certificates (only needed once):
docker-compose -f create-certs.yml up
-
Start two {es} nodes configured for SSL/TLS:
docker-compose up -d
-
Access the {es} API over SSL/TLS using the bootstrapped password:
curl --cacert certs/ca/ca.crt -u elastic:PleaseChangeMe https://localhost:9200
-
The
elasticsearch-setup-passwords
tool can also be used to generate random passwords for all users:WarningWindows users not running PowerShell will need to remove \
and join lines in the snippet below.docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords \ auto --batch \ -Expack.ssl.certificate=certificates/es01/es01.crt \ -Expack.ssl.certificate_authorities=certificates/ca/ca.crt \ -Expack.ssl.key=certificates/es01/es01.key \ --url https://localhost:9200"