Encrypting Communications in an Elasticsearch Docker Imageedit
Starting with version 6.0.0, X-Pack security (Gold, Platinum or Enterprise subscriptions) requires SSL/TLS encryption for the transport networking layer.
This section demonstrates an easy path to get started with SSL/TLS for both
HTTPS and transport using the elasticsearch-platinum docker image.
For further details, please refer to Encrypting Communications and available subscriptions.
Prepare the environmentedit
Install Elasticsearch with Docker.
Inside a new, empty, directory create the following four files:
instances.yml:
instances:
- name: es01
dns:
- es01 
- localhost
ip:
- 127.0.0.1
- name: es02
dns:
- es02
- localhost
ip:
- 127.0.0.1
| Allow use of embedded Docker DNS server names. |
.env:
| The path, inside the Docker image, where certificates are expected to be found. |
|
Initial password for the |
Version 7.0.0-alpha1 of Elasticsearch has not yet been released, so a
create-certs.yml is not available for this version.
Version 7.0.0-alpha1 of Elasticsearch has not yet been released, so a
docker-compose.yml is not available for this version.
Run the exampleedit
Generate the certificates (only needed once):
docker-compose -f create-certs.yml up
Start two Elasticsearch nodes configured for SSL/TLS:
docker-compose up -d
Access the Elasticsearch API over SSL/TLS using the bootstrapped password:
curl --cacert certs/ca/ca.crt -u elastic:PleaseChangeMe https://localhost:9200
The
elasticsearch-setup-passwordstool can also be used to generate random passwords for all users:Windows users not running PowerShell will need to remove
\and join lines in the snippet below.docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords \ auto --batch \ -Expack.ssl.certificate=certificates/es01/es01.crt \ -Expack.ssl.certificate_authorities=certificates/ca/ca.crt \ -Expack.ssl.key=certificates/es01/es01.key \ --url https://localhost:9200"