search

CollectionBuilder / collectionbuilder-sa_draft

experimental version of collectionbuilder, probably don't use! We've started to call this version CollectionBuilder-ES (Elastic!).
MIT License
0 stars 1 forks source link

Elasticsearch SSL is going to require an official (not-self-signed) certificate, which requires a domain name #37

Open derekenos opened 4 years ago

derekenos commented 4 years ago

Steps to get a working, valid cert

  1. Create an "A" DNS record that points to the Droplet IP

  2. Open port 80 on the Droplet as required by certbot

  3. Install and run the Let's Encrypt certbot (instructions)

    # deps + repo were already present on system
sudo apt install certbot
sudo certbot certonly --standalone
# enter domain name

    Cert files are generated in: /etc/letsencrypt/live/<domain>

  4. Copy cert files into Elasticsearch directory With some guidance from: https://www.elastic.co/fr/blog/x-pack-security-for-elasticsearch-with-lets-encrypt-certificates

sudo rm /etc/elasticsearch/certs/*
sudo cp /etc/letsencrypt/live/cb-elasticsearch.derekenos.com/* /etc/elasticsearch/certs/
sudo chmod 640 /etc/elasticsearch/certs/*
sudo chown -R root:elasticsearch /etc/elasticsearch/certs/
  1. Configure Elasticsearch to use the new cert

In /etc/elasticsearch/elasticsearch.yml, replace:

xpack.security.http.ssl.keystore.path: ...
xpack.security.http.ssl.truststore.path: ...

with

xpack.security.http.ssl.key: certs/privkey.pem
xpack.security.http.ssl.certificate: certs/fullchain.pem
xpack.security.http.ssl.certificate_authorities: [ "certs/chain.pem" ]

  1. Restart Elasticsearch

    sudo systemctl restart elasticsearch

  2. It works!

  3. Close port 80 on the Droplet

TODO

Schedule automatic renewal (need to have 80 open all the time?) Certs are valid for 90 days. Every < 90 do via CRON: certbot renew