Encrypting Communications in an Elasticsearch Docker Containeredit

Starting with version 6.0.0, X-Pack security (Gold, Platinum or Enterprise subscriptions) requires SSL/TLS encryption for the transport networking layer.

This section demonstrates an easy path to get started with SSL/TLS for both HTTPS and transport using the Elasticsearch Docker image. The example uses Docker Compose to manage the containers.

For further details, please refer to Encrypting Communications and available subscriptions.

Prepare the environmentedit

Install Elasticsearch with Docker.

Inside a new, empty directory, create the following four files:

instances.yml:

instances:
  - name: es01
    dns:
      - es01 
      - localhost
    ip:
      - 127.0.0.1

  - name: es02
    dns:
      - es02
      - localhost
    ip:
      - 127.0.0.1

Allow use of embedded Docker DNS server names.

.env:

CERTS_DIR=/usr/share/elasticsearch/config/certificates 
ELASTIC_PASSWORD=PleaseChangeMe 

The path, inside the Docker image, where certificates are expected to be found.

Initial password for the elastic user.

create-certs.yml:

Warning

Version 6.6.0 of Elasticsearch has not yet been released, so a create-certs.yml is not available for this version.

docker-compose.yml:

Warning

Version 6.6.0 of Elasticsearch has not yet been released, so a docker-compose.yml is not available for this version.

Run the exampleedit

  1. Generate the certificates (only needed once):

    docker-compose -f create-certs.yml up
  2. Start two Elasticsearch nodes configured for SSL/TLS:

    docker-compose up -d
  3. Access the Elasticsearch API over SSL/TLS using the bootstrapped password:

    curl --cacert certs/ca/ca.crt -u elastic:PleaseChangeMe https://localhost:9200
  4. The elasticsearch-setup-passwords tool can also be used to generate random passwords for all users:

    Warning

    Windows users not running PowerShell will need to remove \ and join lines in the snippet below.

    docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords \
    auto --batch \
    -Expack.ssl.certificate=certificates/es01/es01.crt \
    -Expack.ssl.certificate_authorities=certificates/ca/ca.crt \
    -Expack.ssl.key=certificates/es01/es01.key \
    --url https://localhost:9200"