Is it possible to generate certificates via Citadel for HTTPS services? In my case, I would like to use the Elastic ECK operator to spawn a new Elasticsearch cluster + Kibana, but I don't want to use the self-signed CA (since I'd have to push that CA certificate file to all and every service that wants to connect to the ES API); rather I'd like to use another self-signed certificate authority; the one and the same that Istio uses.
My hope is that if we get around to adding Vault to the cluster + cert-manager, I can easily create new certificates with that and all HTTPS usage INSIDE the cluster.
How can I (or can I), generate TLS certificates with Istio somehow? I have SDS installed in the cluster.
This question is not about:
How to generate public certificates
cert-manager
How to turn off TLS in Elasticsearch's HTTP endpoint
Related
When i build the container of elasticsearch and the compose logs I got "WARN", "message":"received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/172.29.0.2:9200, remoteAddress=/172.29.0.4:54642}"
And also when I curl to "https://elasticsearch:9200" i got the following curl: (60) SSL certificate problem: self signed certificate in certificate chain It might be the problem from the SSL certificate?
I have a privekey.pem and fullchain.pem files how to use them in order to solve this issue ?
Noting it is all up but kibana not connected to elasticsearch, and also i tried to disable security but i have the same error.
Unless you are using a trial license, Elastic Stack security features require SSL/TLS encryption for the transport networking layer.
This section demonstrates an easy path to get started with SSL/TLS for both HTTPS and transport using the Elasticsearch Docker image. The example uses Docker Compose to manage the containers.
Due to auditing requirements, it is necessary to encrypt all connections between the application and the elasticsearch cluster
after a little googling, I realized that the elasticsearch cluster protection looks like this
Enable x-pack: true in elasticsearch.yml
generate CA
copy the CA to each node in the cluster
generate a certificate for each node (by signing it using the generated CA in paragraph 2)
in this case, we will have a secure connection ONLY between the nodes in the cluster (on port 9300)
inter-node tls
I have purchased an SSL certificate and the certificate files look like this
STAR_rem-masters_com.ca-bundle star_rem_masters_com_certificate.crt
(I bought these certificates from sectigo)
Now the question is how can these certificates be used for inter-node ssl and client-server ( application > elasticsearch ) because in all examples they use self-signed certificates that are generated using elasticsearch-certutil
APISIX uses etcd as the configuration center, I have configured and enabled mTLS in etcd for secure data transfer, how do I configure it in APISIX to make it effective?
First of all, you need to prepare a pair of client certificate and private key. Then configure it on APISIX. You can specify them in the config.yaml. The related fields are:
etcd.tls.cert: client certificate
etcd.tls.key: client private key
apisix.ssl. ssl_trusted_certificate: CA certificate to verify the ETCD server certificate
I'm now researching the Hashistack and trying to deploy pet microservice-based project on it. I deployed Nomad and Consul clusters with Ansible roles on bare metal nodes:
https://github.com/ansible-community/ansible-consul.git (v2.5.4)
https://github.com/ansible-community/ansible-nomad.git (v1.9.6)
Servers of Nomad and Consul are placed on the same nodes.
I do not use Vault. I created separate private CA, generated TLS certificates and private keys for these services and configured Nomad and Consul servers and clients to use them.
My goal is to setup production ready Hashistack cluster. So that I want to setup full TLS for both services.
I successfully connected to both UIs via HTTP, but when I try HTTPS, I get the SSL_ERROR_BAD_CERT_ALERT error.
I'll appreciate if you suggest the best practices to operate the Hashistack in production, and what steps are required for it.
Thank you!
I'm a bit late to respond, but came across the same error. Figured I'd leave my solution in case future readers find it helpful...
For me, the issue came down to the verify_https_client flag in my Nomad tls config block. Since Nomad is configured for mutual TLS, all clients (including web browsers) need to provide a client certificate signed by the same CA used by Nomad in order to connect. You'll need to generate/sign that certificate, and look up how to configure your browser to automatically provide it when needed.
For production use, that's the safest route. For a dev environment, you can just set that verify_https_client config to false in your Nomad config.
Here's a link to the Nomad docs for this flag: https://www.nomadproject.io/docs/configuration/tls#verify_https_client
You need first, generate a client certificate for your web brower.
Then convert it to PKCS12 format.
openssl pkcs12 -export -inkey ./nomad-cli.key -in ./nomad-cli.pem -out ./nomad-cli.p12
Let's say your are using Chrome,
Go to chrome://settings/certificates?search=certificate and import the converted certificate nomad-cli.p12.
I've found answer for same case.
When nomad cluster deployed with mTLS need deploy cli keys to each server nodes or at least on the node to which you are configuring the connection.
cli keys generated by instruction https://learn.hashicorp.com/tutorials/nomad/security-enable-tls#nomad-ca-key-pem
and nginx configured by instruction https://learn.hashicorp.com/tutorials/nomad/reverse-proxy-ui?in=nomad/manage-clusters
however this manual does not contain a description of configuring mTLS.
You need add following parameters in location /.
location / {
....
proxy_pass https://127.0.0.1:4646;
proxy_ssl_certificate /etc/nomad.d/cli.pem;
proxy_ssl_certificate_key /etc/nomad.d/cli-key.pem;
proxy_ssl_verify off;
....
}
In this case nginx can connect encrypted connection with nomad http port with TLS.
Also don't forget enable http basic auth at least.
I try to do GRPC client --> GCP external LB with HTTPS --> GKE with pod GRPC server
The external LB uses a google managed certificate.
The documentation states:
If you are using HTTPS or HTTP/2 from the load balancer to the backends, you must install SSL certificates on each VM instance. To install SSL certificates on a VM instance, use the instructions in your application documentation. These certificates can be self-signed.
So I developped the grpc server with a self-signed certificate.
My question is how the backend service (part of the LB) can call the GRPC server without the server.crt, i.e. the public key of the cert used in the GRPC server?
Is there a way to pass this server.crt to the backend service?
I don't see how to fulfill the documentation requirement.
Please help :)