github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-06-30 10:23:41 -04:00
Code Issues Projects Releases Packages Wiki Activity
elasticsearch/docs/reference/setup/install/connect-clients.asciidoc

65 lines
2.3 KiB
Text
Raw Blame History

==== Connect clients to {es}
// This file is reused in each of the installation pages. Ensure that any changes
// you make to this file are applicable across all installation environments.
When you start {es} for the first time, TLS is configured automatically for the
HTTP layer. A CA certificate is generated and stored on disk at:
[source,sh,subs="attributes"]
----
{es-conf}{slash}certs{slash}http_ca.crt
----
The hex-encoded SHA-256 fingerprint of this
certificate is also output to the terminal. Any clients that connect to {es},
such as the
https://www.elastic.co/guide/en/elasticsearch/client/index.html[{es} Clients],
{beats}, standalone {agent}s, and {ls} must validate that they trust the
certificate that {es} uses for HTTPS. {fleet-server} and {fleet}-managed
{agent}s are automatically configured to trust the CA certificate.
Other clients can establish trust by using either the fingerprint of the CA
certificate or the CA certificate itself.
If the auto-configuration process already completed, you can still obtain the
fingerprint of the security certificate. You can also copy the CA certificate
to your machine and configure your client to use it.
[discrete]
===== Use the CA fingerprint
Copy the fingerprint value that's output to your terminal when {es} starts, and
configure your client to use this fingerprint to establish trust when it
connects to {es}.
If the auto-configuration process already completed, you can still obtain the
fingerprint of the security certificate by running the following command. The
path is to the auto-generated CA certificate for the HTTP layer.
[source,sh]
----
openssl x509 -fingerprint -sha256 -in config/certs/http_ca.crt
----
The command returns the security certificate, including the fingerprint.
The `issuer` should be `Elasticsearch security auto-configuration HTTP CA`.
[source,sh]
----
issuer= /CN=Elasticsearch security auto-configuration HTTP CA
SHA256 Fingerprint=<fingerprint>
----
[discrete]
===== Use the CA certificate
If your library doesn't support a method of validating the fingerprint, the
auto-generated CA certificate is created in the following directory on each {es}
node:
[source,sh,subs="attributes"]
----
{es-conf}{slash}certs{slash}http_ca.crt
----
Copy the `http_ca.crt` file to your machine and configure your client to use this
certificate to establish trust when it connects to {es}.
Reference in a new issue View git blame Copy permalink