By default, Enterprise Search does not enable TLS (Transport Layer Security).
To enable SSL/TLS, set the following configuration settings:
ent_search.ssl.enabled: true ent_search.ssl.keystore.path: "/path/to/keystore.jks" ent_search.ssl.keystore.password: "changeme" ent_search.ssl.keystore.key_password: "changeme" ent_search.external_url: https://localhost:3002
In the above example,
keystore.jks is a Java KeyStore file.
Create a Java KeyStore file using the
keytool utility, which is included with the JVM.
If you are using the Elastic provided Docker image, the
keytool utility is available at
/etc/alternatives/keytool within the container.
See keytool - Key and Certificate Management Tool in the Java documentation.
For example, to create a self-signed certificate and add it to a keystore for use with a server running on
keytool -genkey -alias server-alias -keyalg RSA \ -storepass changeme -keypass changeme -keystore keystore.jks \ -dname 'CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown'
Note that the values used in
-keypass changeme and
-storepass changeme correspond directly to the values that must be set for
Please note: In a production scenario, you will need a public certificate signed by a trusted Certificate Authority.
In addition to the above instructions, you may want to avoid having your users specify a port number when visiting Enterprise Search. In order to allow your users to make use of HTTPS only, you can set:
ent_search.listen_port: 443 ent_search.external_url: https://my_host.my_domain.com:443 ent_search.ssl.redirect_http_from_port: 80
This will bind your server to port
443 (the default HTTPS traffic port), and will ensure that traffic routed to port
80 (the default HTTP port) will redirect to
This ensures that any visitor to
my_host.my_domain.com will make use of TLS.
java.lang.ClassCastException: org.bouncycastle.asn1.DERApplicationSpecific cannot be cast to org.bouncycastle.asn1.ASN1Sequence
This error may occur if you’re using a legacy configuration that specifies keys and certificates separately, and it is a known JRuby bug: https://github.com/jruby/jruby-openssl/issues/104. It is recommended that you use a Java KeyStore file as explained above. If this is not possible, endeavor to remove the "Bag Attributes" from your keyfile. This can be done by generating your keyfile like:
openssl pkcs12 -in keystore.p12 -nodes -nocerts -passin pass:changeme | openssl rsa -out my_store.key
You can also manually remove the "Bag Attributes" portion of your keyfile with a text editor.