Hi all,
I'm looking for some clarity about the
searchguard.ssl.transport.pemtrustedcas_filepath and
searchguard.ssl.http.pemtrustedcas_filepath settings. What are they actually
used for and how?
We are on ES 5.6.7 and SG 5.6.7-19
For internal testing, we provision both node and sgadmin certificates using
Hashicorp's Vault (using their pki secrets backend). The Vault is configured
to use our internal CA and intermediate certificates to generate new
certificates. So, we end up with out pair of cert files (sgadmin and node), a
pair of PKCS8 key files and a single ca.pem file, which only needs to contain
our CA root cert.
Our internal CA Root cert is also added to the server's trusted certificates
(linked to /etc/ssl/certs)
For production, we still use our Vault server to provision sgadmin certs, but
use "proper" node certificates (from Comodo in this particular scenario) and
this is where the confusion kicks in.
It would appear that in order to get the sgadmin.sh to work, the ca.pem file
needs to contain our CA root cert and any cert from our node "proper" cert's
chain (I tried putting in the node cert itself or the next intermediate cert).
On the other hand, whatever I put in ca.pem (I tried putting only our root CA
cert), the node will happily restart and if I browse to, say
https://my.server.com:9200/_nodes, the browser will be happy with the Comodo's
SSL cert chain, which makes it look like the
pemtrustedcas_filepath file has no effect on the nodes.
What am I missing here?
Thank you,
--
Marko Bozikovic
Senior Developer
Symplectic
Email:
bo...@symplectic.co.uk