TLS certificates & config snippets via sgtlstool

Hi,

after I stranded to get custom certificates created and configured using opendistro docs :thinking: https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/generate-certificates/

To successfully create ones, I went over to the Searchguard documentation and used their Java based offline cert creator tool sgtlstool (https://docs.search-guard.com/latest/offline-tls-tool also available as online version https://docs.search-guard.com/latest/online-tls-generator), this finally worked for me.

Steps

After modifying the ‘config/example.yml’ all the certs can be created at once:

search-guard-tlstool-1.7$ tools/sgtlstool.sh -c config/example.yml -ca -crt -v -o

Another benefit is that you get the config snippets as well

odfe-node1_elasticsearch_config_snippet.yml

# This is a configuration snippet for the node odfe-node1
# This snippet needs to be inserted into the file config/elasticsearch.yml of the respective node.
# If the config file already contains SearchGuard configuration, this needs to be replaced.
# Furthermore, you need to copy the files referenced below into the same directory.
# Please refer to http://docs.search-guard.com/latest/configuring-tls for further configuration of your installation.

searchguard.ssl.transport.pemcert_filepath: odfe-node1.pem
searchguard.ssl.transport.pemkey_filepath: odfe-node1.key
searchguard.ssl.transport.pemkey_password: thissupposedtobeakeypassword
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: odfe-node1_http.pem
searchguard.ssl.http.pemkey_filepath: odfe-node1_http.key
searchguard.ssl.http.pemkey_password: thissupposedtobeakeypassword
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.nodes_dn:
- CN=*.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
searchguard.authcz.admin_dn:
- CN=admin.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

The config snippet just requires a small modification to work for opendistro, so everything starting with

searchguard.ssl.

has to be replaced by

opendistro_security.ssl.

on linux (GNU sed)

sed -i -- 's/searchguard./opendistro_security./g' *_elasticsearch_config_snippet.yml

on macos (non GNU sed) it is

sed -i '' -e 's/searchguard./opendistro_security./g' *_elasticsearch_config_snippet.yml

sgtlstool fork?

My question to the ODFE team is if this great opensource tool search-guard-tlstool can be forked and modified and included in opendistro -> https://github.com/floragunncom/search-guard-tlstool/

changing a few JSON properties in following file should be sufficient:

src/main/java/com/floragunn/searchguard/tools/util/EsNodeConfig.java

thanks,
nean

Why would this happen? I’m not even sure why you used Searchguard to achieve the same thing that ODFE already supports.

Hi @chaos,

I’m not aware of any TLS certificate and config creation tool like sgtlstool that is included in ODFE?
This is very convenient tool in terms of getting custom certificates and more advanced ssl setup.

let us know if there is any better solution than using demo certs or creating certs from scratch via using openssl commands.

thanks

Sorry @nean
I misunderstood the post here. I thought this was a guide for using TLS in SearchGuard.

Looks good :slightly_smiling_face: