Skip to main content

ElasticSearch cluster SSL/TLS configuration

ElasticSearch X-pack documentation a good description on how to secure your ElasticSearch cluster using SSL/TLS.
I used certgen to generate certificates for all the nodes as below:

  1. Create a instances.yml file:
    vim /work/elk/elasticsearch-5.6.2/config/x-pack/instances.yml
    
    instances:
      - name: "hostname-00"
        ip:
          - "192.126.0.163"
          - "192.0.2.2"
          - "198.51.100.1"
        dns:
          - "hostname-00"
          - "hostname-00.mydomain.name"
      - name: "hostname-01"
        ip:
          - "192.126.0.164"
        dns:
          - "hostname-01"
          - "hostname-01.mydomain.name"
      - name: "hostname-02"
      - name: "CN=hostname-03,C=GB,ST=Greater London,L=London,O=OrgName,OU=OrgUnit,DC=mydomain,DC=com"
        dns:
          - "hostname-03.mydomain.name"
          - "hostname-03.internal"
          - "hostname-03"
    
  2. Run below command to generate a CA certificate and private key as well as certificates and private keys for the instances that are listed in the YAML file:
    /work/elk/elasticsearch-5.6.2/bin/x-pack/certgen --days 3650 --keysize 2048 --in /work/elk/elasticsearch-5.6.2/config/x-pack/instances.yml --out /work/elk/elasticsearch-5.6.2/config/x-pack/certificate-bundle.zip
    cd /work/elk/elasticsearch-5.6.2/config/x-pack/
    unzip certificate-bundle.zip -d ./certificate-bundle/
    
    Please check certgen page for all available options.
  3. If you have already got CA certificate and key, then you can use it to sign all the generated certificates:
    /work/elk/elasticsearch-5.6.2/bin/x-pack/certgen --days 3650 --keysize 2048 --in /work/elk/elasticsearch-5.6.2/config/x-pack/instances.yml --out /work/elk/elasticsearch-5.6.2/config/x-pack/certificate-bundle.zip --cert /work/elk/elasticsearch-5.6.2/config/x-pack/certificate-bundle/ca/ca.crt --key /work/elk/elasticsearch-5.6.2/config/x-pack/certificate-bundle/ca/ca.key
    
    This comes in handy, when you later decide to add new nodes or clients to your cluster.

Comments

Popular posts from this blog

Procedure for name and date of birth change (Pune)

For change of name, the form (scribd) is available free of cost at Government Book Depot (Shaskiya Granthagar), which is located near Collector’s office, next to Saint Helena's School. The postal address is:
Government Photozinco Press Premises and Book Depot,
5, Photozinco Press Road, Pune, MH, 411001.
Wikimapia link

Charges for name or date of birth change, in the Maharashtra Government Gazette:
INR 120.00 per insertion (for two copies of the Gazette)
For backward class applicants: INR 60.00
Charges for extra copy of the Gazette: INR 15.00 per copy (two copies are enough, so you may not want to pay extra for extra copies).

Backward class applicants are required to submit a xerox of caste certificate of old name as issued by the Collector of the District concerned.

Once the form is duly submitted, it normally takes 10 to 15 days for publication of advertisement in the Maharashtra Government Gazette. The Gazette copy reaches to the address filled in the form within next 7 to 15 day…

MPlayer subtitle font problem in Windows

While playing a video with subtitles in mplayer, I was getting the following problem:
New_Face failed. Maybe the font path is wrong. Please supply the text font file (~/.mplayer/subfont.ttf).
Solution is as follows:
Right click on "My Computer".Select "Properties".Go to "Advanced" tab.Click on "Environment Variables".Delete "HOME" variable from User / System variables.

ElasticSearch max file descriptors too low error

ElasticSearch 5.x requires a minimum of Max file descriptors 65536 and Max virtual memory areas 262144.
It throws an error on start-up if these are set to very low value.
ERROR: bootstrap checks failed max file descriptors [16384] for elasticsearch process is too low, increase to at least [65536] max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
Check current values using:
$ cat /proc/sys/fs/file-max 16384 $ cat /proc/sys/vm/max_map_count 65530 $ ulimit -Hn 16384 $ ulimit -Sn 4096
To fix this, following files need to change/add below settings:
Recommended: Add a new file 99-elastic.conf under /etc/security/limits.d with following settings:
elasticsearch - nofile 800000 elasticsearch - nproc 16384 defaultusername - nofile 800000 defaultusername - nproc 16384 Alternatively, edit /etc/sysctl.conf with following settings:
fs.file-max = 800000 vm.max_map_count=300000