I`m using elastic 2.2.0 with shield 2.2, 10 nodes cluster. I need to enable ssl in Elastic for Kibana to work with shield and I got troubled on the certification signing part.
I do not have a wild card certificate so I cant sign just one csr in node and copy it to all other nodes, I tried to use letsencrypt (with the elastic tutorial) and sign a certificate with common name of node1 and alternative names of node2-10 and copy it to all other nodes (of course I firstly created domains for all 10 servers and pointed it to node1, sign the csr, then pointed all the 9 to the right server), it didn't work and I got a lot of "bed certificate" exceptions in the nodes log.
As I said, I need ssl for kibana to work with shield, and for secure connections in general, and I planning to add some more nodes to the cluster... How can I manage to do so? What would be the best architecture for that purpose?
The problem was that I tried to use the certificates on private ip seeds of nodes, and as the documentation says (its not possible):
If you use a commercial CA, the DNS names and IP addresses used to identify a node must be publicly resolvable. Internal DNS names and private IP addresses are not accepted due to security concerns.
If you need to use private DNS names and IP addresses, using an internal CA is the most secure option. It enables you to specify node identities and ensure node identities are verified when nodes connect. If you must use a commercial CA and private DNS names or IP addresses, you cannot include the node identity in the certificate, so the only option is to disable hostname verification.
So the solution is to use the certificate only for outside requests (like kibana UI) by setting in elasticsearch.yml:
shield.transport.ssl: false
shield.http.ssl: true