Elasticsearch new certificates docker stack

When creating a new Elasticsearch Docker stack, you'll need to configure SSL/TLS certificates to secure communication between nodes and clients. Here's a step-by-step guide to help you set up new certificates for your Elasticsearch Docker stack:

Prerequisites:

1. Docker installed on your machine.
2. A domain name (e.g., my-elasticsearch.com) for your Elasticsearch cluster.
3. A text editor or IDE.

Step 1: Generate a Certificate Authority (CA) certificate

Create a new directory for your certificates and navigate to it:

mkdir elasticsearch-certificates
cd elasticsearch-certificates

Use the OpenSSL command to generate a CA certificate:

openssl req -x509 -newkey rsa:2048 -nodes -keyout ca.key -out ca.crt -days 3650 -subj "/C=US/ST=State/L=Locality/O=Organization/CN=My CA"

This command generates a self-signed CA certificate (ca.crt) and a private key (ca.key) for your CA.

Step 2: Generate a server certificate

Create a new file server.csr with the following contents:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = US
stateOrProvinceName = State
localityName = Locality
organizationName = Organization
commonName = my-elasticsearch.com

[v3_req]
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = my-elasticsearch.com

This file defines the server certificate's subject and extensions.

Use OpenSSL to generate the server certificate:

openssl req -x509 -newkey rsa:2048 -nodes -keyout server.key -out server.crt -days 3650 -subj "/C=US/ST=State/L=Locality/O=Organization/CN=my-elasticsearch.com" -reqfile server.csr

This command generates a server certificate (server.crt) and a private key (server.key) for your Elasticsearch node.

Step 3: Generate a client certificate

Create a new file client.csr with the following contents:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = US
stateOrProvinceName = State
localityName = Locality
organizationName = Organization
commonName = my-elasticsearch-client

[v3_req]
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = my-elasticsearch-client

This file defines the client certificate's subject and extensions.

Use OpenSSL to generate the client certificate:

openssl req -x509 -newkey rsa:2048 -nodes -keyout client.key -out client.crt -days 3650 -subj "/C=US/ST=State/L=Locality/O=Organization/CN=my-elasticsearch-client" -reqfile client.csr

This command generates a client certificate (client.crt) and a private key (client.key) for your Elasticsearch client.

Step 4: Configure your Elasticsearch Docker stack

Create a new file elasticsearch.yml with the following contents:

xpack:
  certificate:
    path: /certs/server.crt
    key: /certs/server.key
  http:
    ssl:
      enabled: true
      certificate: /certs/server.crt
      key: /certs/server.key

This file configures Elasticsearch to use the server certificate and private key for SSL/TLS encryption.

Step 5: Create a Docker Compose file

Create a new file docker-compose.yml with the following contents:

version: '3'

services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
    environment:
      - xpack.license.type=trial
      - xpack.security.enabled=true
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.certificate_authorities=/certs/ca.crt
      - xpack.security.transport.ssl.truststore.path=/certs/ca.crt
      - xpack.security.transport.ssl.truststore.password=change_me
    volumes:
      -./elasticsearch-certificates:/certs
    ports:
      - "9200:9200"
      - "9300:9300"

This file defines a Docker service for Elasticsearch, sets environment variables for SSL/TLS configuration, and mounts the elasticsearch-certificates directory as a volume.

Step 6: Start your Elasticsearch Docker stack

Run the following command to start your Elasticsearch Docker stack:

docker-compose up -d

This command starts the Elasticsearch service in detached mode.

Step 7: Verify your Elasticsearch cluster

Use the Elasticsearch API to verify that your cluster is up and running:

curl -XGET 'https://my-elasticsearch.com:9200/_cluster/health'

This command should return a response indicating that your cluster is healthy.

That's it! You now have a new Elasticsearch Docker stack with SSL/TLS certificates configured.