Encrypting Communications in an Elasticsearch Docker Image

Starting with version 6.0.0, X-Pack security (Gold, Platinum or Enterprise subscriptions) requires SSL/TLS encryption for the transport networking layer.

This section demonstrates an easy path to get started with SSL/TLS for both HTTPS and transport using the elasticsearch-platinum docker image.

For further details, please refer to Encrypting Communications and available subscriptions.

Prepare the environment

Install Elasticsearch with Docker.

Inside a new, empty, directory create the following four files:

instances.yml:

instances:
  - name: es01
    dns:
      - es01 
      - localhost
    ip:
      - 127.0.0.1
  - name: es02
    dns:
      - es02
      - localhost
    ip:
      - 127.0.0.1

Allow use of embedded Docker DNS server names.

.env:

CERTS_DIR=/usr/share/elasticsearch/config/x-pack/certificates 
ELASTIC_PASSWORD=PleaseChangeMe 

The path, inside the Docker image, where certificates are expected to be found.

Initial password for the elastic user.

create-certs.yml:

Warning

Version 6.4.0 of Elasticsearch has not yet been released, so a create-certs.yml is not available for this version.

docker-compose.yml:

Warning

Version 6.4.0 of Elasticsearch has not yet been released, so a docker-compose.yml is not available for this version.

Run the example

  1. Generate the certificates (only needed once):

    docker-compose -f create-certs.yml up
  2. Start two Elasticsearch nodes configured for SSL/TLS:

    docker-compose up -d
  3. Access the Elasticsearch API over SSL/TLS using the bootstrapped password:

    curl --cacert certs/ca/ca.crt -u elastic:PleaseChangeMe https://localhost:9200
  4. The elasticsearch-setup-passwords tool can also be used to generate random passwords for all users:

    Warning

    Windows users not running PowerShell will need to remove \ and join lines in the snippet below.

    docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords \
    auto --batch \
    -Expack.ssl.certificate=x-pack/certificates/es01/es01.crt \
    -Expack.ssl.certificate_authorities=x-pack/certificates/ca/ca.crt \
    -Expack.ssl.key=x-pack/certificates/es01/es01.key \
    --url https://localhost:9200"