Instructions on how to use SSL in the helm repo security demo

[ajbeach2]

I am not sure how exactly to test SSL with curl given the helm repo.

I manually ran the script to generate the elasticsearch.yml configuration for the security demo.

I copied the root-ca.pem into another pod in the same namespace

curl --cacert /usr/local/share/ca-certificates/es/root-ca.pem https://admin:admin@elasticsearch-opendistro-es-client-service:9200

curl: (60) SSL: no alternative certificate subject name matches target host name 'elasticsearch-opendistro-es-client-service'
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
bash-5.0# 

I can curl with --insecure and that works:

curl https://admin:admin@elasticsearch-opendistro-es-client-service:9200 --insecure
{
  "name" : "elasticsearch-opendistro-es-master-0",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "uJBRxkKDQYaA9Es_AhWwiA",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "oss",
    "build_type" : "tar",
    "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

How can I use curl and ssl with the demo configuration? enforce_hostname_verification is set to false but that doesn't seem to be related to my issue.

cluster.name: "docker-cluster"
network.host: 0.0.0.0

# minimum_master_nodes need to be explicitly set when bound on a public IP
# set to 1 to allow single node clusters
# Details: https://github.com/elastic/elasticsearch/pull/17288
discovery.zen.minimum_master_nodes: 1

######## Start OpenDistro for Elasticsearch Security Demo Configuration ########
# WARNING: revise all the lines below before you go into production
opendistro_security.ssl.transport.pemcert_filepath: esnode.pem
opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: esnode.pem
opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_unsafe_democertificates: true
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
  - CN=kirk,OU=client,O=client,L=test, C=de

opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3
######## End OpenDistro for Elasticsearch Security Demo Configuration ########

[peterzhuamazon]

Hi @ajbeach2 this seems related to security plugin, so I will transfer this issue to their repo. Thanks.

[ajbeach2]

Thanks. I believe I know what the issue is. I need to generate new certificates to test that have alternate names than match the dns records in Kubernetes. I was able to generate these I just need to mount the certs and configs, then test.