From 683799d07734e13f3949534957acb09373fa9d19 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 12 Aug 2020 15:02:54 -0400
Subject: [PATCH 1/5] Convert ES cert to p12

---
 salt/ssl/init.sls | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index a0cade9f6..9e0c1d9e8 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -243,7 +243,11 @@ miniokeyperms:
       # https://github.com/saltstack/salt/issues/52167
       # Will trigger 5 days (432000 sec) from cert expiration
       - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
-
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs12 -in /etc/pki/elasticsearch.key -topk12 -out /etc/pki/elasticsearch.p12 -nocrypt"
+    - onchanges:
+      - x509: /etc/pki/elasticsearch.key
+      
 ealstickeyperms:
   file.managed:
     - replace: False
@@ -507,7 +511,7 @@ fleetkeyperms:
     {% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%}
     - prereq:
       - x509: /etc/pki/elasticsearch.crt
-      
+
 /etc/pki/elasticsearch.crt:
   x509.certificate_managed:
     - ca_server: {{ ca_server }}
@@ -521,6 +525,10 @@ fleetkeyperms:
       # https://github.com/saltstack/salt/issues/52167
       # Will trigger 5 days (432000 sec) from cert expiration
       - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs12 -in /etc/pki/elasticsearch.key -topk12 -out /etc/pki/elasticsearch.p12 -nocrypt"
+    - onchanges:
+      - x509: /etc/pki/elasticsearch.key
 
 miniokeyperms:
   file.managed:

From daaffd518562f1a85bad7366c76cae79c49371ed Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 12 Aug 2020 15:05:33 -0400
Subject: [PATCH 2/5] Convert ES cert to p12

---
 salt/ssl/init.sls | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index 9e0c1d9e8..2cb435ffc 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -244,10 +244,10 @@ miniokeyperms:
       # Will trigger 5 days (432000 sec) from cert expiration
       - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
   cmd.run:
-    - name: "/usr/bin/openssl pkcs12 -in /etc/pki/elasticsearch.key -topk12 -out /etc/pki/elasticsearch.p12 -nocrypt"
+    - name: "/usr/bin/openssl pkcs12 -in /etc/pki/elasticsearch.key -export -out /etc/pki/elasticsearch.p12 -nocrypt"
     - onchanges:
       - x509: /etc/pki/elasticsearch.key
-      
+
 ealstickeyperms:
   file.managed:
     - replace: False
@@ -526,7 +526,7 @@ fleetkeyperms:
       # Will trigger 5 days (432000 sec) from cert expiration
       - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
   cmd.run:
-    - name: "/usr/bin/openssl pkcs12 -in /etc/pki/elasticsearch.key -topk12 -out /etc/pki/elasticsearch.p12 -nocrypt"
+    - name: "/usr/bin/openssl pkcs12 -in /etc/pki/elasticsearch.key -export -out /etc/pki/elasticsearch.p12 -nocrypt"
     - onchanges:
       - x509: /etc/pki/elasticsearch.key
 

From 82821fbb256056843ab5d827e8683c13bc954231 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 12 Aug 2020 15:09:52 -0400
Subject: [PATCH 3/5] Convert ES cert to p12

---
 salt/ssl/init.sls | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index 2cb435ffc..3dd509861 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -244,7 +244,7 @@ miniokeyperms:
       # Will trigger 5 days (432000 sec) from cert expiration
       - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
   cmd.run:
-    - name: "/usr/bin/openssl pkcs12 -in /etc/pki/elasticsearch.key -export -out /etc/pki/elasticsearch.p12 -nocrypt"
+    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nocrypt"
     - onchanges:
       - x509: /etc/pki/elasticsearch.key
 
@@ -526,7 +526,7 @@ fleetkeyperms:
       # Will trigger 5 days (432000 sec) from cert expiration
       - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
   cmd.run:
-    - name: "/usr/bin/openssl pkcs12 -in /etc/pki/elasticsearch.key -export -out /etc/pki/elasticsearch.p12 -nocrypt"
+    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12"
     - onchanges:
       - x509: /etc/pki/elasticsearch.key
 

From 7e3e4d0f54d41725b294385a5535ea0049cf6a43 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 12 Aug 2020 15:16:12 -0400
Subject: [PATCH 4/5] Convert ES cert to p12

---
 salt/ssl/init.sls | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index 3dd509861..a5cae35b8 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -244,7 +244,7 @@ miniokeyperms:
       # Will trigger 5 days (432000 sec) from cert expiration
       - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
   cmd.run:
-    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nocrypt"
+    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:"
     - onchanges:
       - x509: /etc/pki/elasticsearch.key
 
@@ -526,7 +526,7 @@ fleetkeyperms:
       # Will trigger 5 days (432000 sec) from cert expiration
       - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
   cmd.run:
-    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12"
+    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:"
     - onchanges:
       - x509: /etc/pki/elasticsearch.key
 

From 9980d0284473eee7bc8d51c74c8f0fae791e6785 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 12 Aug 2020 15:38:19 -0400
Subject: [PATCH 5/5] Elastic Transport TLSgit add .

---
 salt/elasticsearch/files/sotls.yaml |  2 +-
 salt/elasticsearch/init.sls         | 12 ++++++++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/salt/elasticsearch/files/sotls.yaml b/salt/elasticsearch/files/sotls.yaml
index 1b6353856..6fee1e8e2 100644
--- a/salt/elasticsearch/files/sotls.yaml
+++ b/salt/elasticsearch/files/sotls.yaml
@@ -1,4 +1,4 @@
-keystore.path: /etc/pki/ca-trust/extracted/java/sokeys
+keystore.path: /usr/share/elasticsearch/config/sokeys
 keystore.password: changeit 
 keystore.algorithm: SunX509
 truststore.path: /etc/pki/ca-trust/extracted/java/cacerts
diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index 5bc9ddbb6..7cb887b05 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -139,6 +139,13 @@ esyml:
     - group: 939
     - template: jinja
 
+sotls:
+  file.managed:
+    - name: /opt/so/conf/elasticsearch/sotls.yml
+    - source: salt://elasticsearch/files/sotls.yml
+    - user: 930
+    - group: 939
+
 #sync templates to /opt/so/conf/elasticsearch/templates
 {% for TEMPLATE in TEMPLATES %}
 es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}:
@@ -200,8 +207,9 @@ so-elasticsearch:
       - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw
       - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
       - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro
-      - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro
-      - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro
+      - /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro
+      - /opt/so/conf/elasticsearch/sotls.yml:/usr/share/elasticsearch/config/sotls.yml:ro
+
     - watch:
       - file: cacertz