Skip to content

How to easily enable SSL (HTTPS) on Elasticsearch

In today’s digital landscape, security is paramount. With data breaches becoming increasingly common, safeguarding sensitive information is not just an option but a necessity. If you’re utilizing Elasticsearch to manage and analyze your data, ensuring secure communication is crucial. One effective way to achieve this is by enabling SSL (Secure Sockets Layer) or its successor, TLS (Transport Layer Security), to encrypt the data transmitted between clients and Elasticsearch.

In this guide, we’ll walk you through the process of enabling SSL on Elasticsearch, making your data transmissions secure without the need for advanced technical skills.

Why does SSL/TLS Matters for Elasticsearch?

Elasticsearch, being a distributed search and analytics engine, often deals with sensitive data. Whether it’s user information, log data, or any other form of structured or unstructured data, ensuring its confidentiality and integrity during transmission is crucial. SSL/TLS provides a robust mechanism for encrypting the data transmitted between clients and Elasticsearch nodes, thus preventing eavesdropping, tampering, and other malicious activities.

Prerequisites

Before we dive into enabling SSL on Elasticsearch, ensure you have the following:

  1. Elasticsearch Installed: Make sure you have Elasticsearch installed on your server or environment.
  2. Access to Configuration Files: You’ll need access to Elasticsearch configuration files to make the necessary changes.

Generate CA and Key for ELK Stack

Start by generating a Certificate Authority (CA) and key for your Elasticsearch-Logstash-Kibana (ELK) stack using the following command:

./bin/elasticsearch-certutil ca

Generate Certificates and Keys for Nodes

Next, generate certificates and keys for each node in your Elasticsearch cluster. Execute the command below for each node:

./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

Configure Node Intercommunication

Update the elasticsearch.yml configuration file on each node to enable SSL for intercommunication:

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

Generate Certificates and Keys for HTTPS Configuration

Generate certificates and keys specifically for HTTPS configuration using the following command:

/bin/elasticsearch-certutil http

Configure HTTPS for Elasticsearch

Update the elasticsearch.yml file on each Elasticsearch node to enable SSL for HTTP communication:

xpack.security.http.ssl.enabled: true 
xpack.security.http.ssl.keystore.path: http.p12

Configure HTTPS for Kibana

Update the kibana.yml configuration file for Kibana to communicate securely with Elasticsearch

elasticsearch.ssl.certificateAuthorities: elasticsearch-ca.pem 
elasticsearch.hosts: https://<elasticsearch_host>:9200

Secure Keystore (if applicable)

If there is a password for the private key, add it to the Elasticsearch keystore using the following commands:

./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password 
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password 
./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

Restart Elasticsearch and Kibana

After making the necessary changes, restart your Elasticsearch cluster to apply the new configurations.

sudo service elasticsearch restart
sudo kibana serve restart

Test SSL/TLS Configuration

To verify that SSL/TLS is properly configured, you can use utilities like cURL or simply try accessing Elasticsearch using HTTPS from your browser.

curl -XGET https://<elasticsearch_host>:9200

Conclusion

Enabling SSL/TLS on Elasticsearch is a critical step in securing your data in transit. By following the steps outlined in this guide, you can ensure that communications with your Elasticsearch cluster are encrypted and protected against unauthorized access. Remember to keep your SSL/TLS certificates up to date and follow best practices for maintaining a secure Elasticsearch environment.

References: