From 0d66e323051111597f2f6ca7ee1ff32c6410cc4e Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 7 Aug 2020 22:39:29 -0400
Subject: [PATCH] sync cacerts

---
 salt/elasticsearch/init.sls | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index 495d7d8c2..adf82a286 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -40,6 +40,7 @@ vm.max_map_count:
     - value: 262144
 
 {% if ismanager %}
+# We have to add the Manager CA to the CA list
 cascriptsync:
   file.managed:
     - name: /usr/sbin/so-catrust
@@ -51,6 +52,21 @@ cascriptsync:
 
 {% endif %}
 
+# Move our new CA over so Elastic and Logstash can use SSL with the internal CA
+catrustdir:
+  file.directory:
+    - name: /opt/so/conf/ca
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+cacertz:
+  file.managed:
+    - name: /opt/so/conf/ca/cacerts
+    - source: salt://common/cacerts
+    - user: 939
+    - group: 939
+
 # Add ES Group
 elasticsearchgroup:
   group.present:
@@ -163,6 +179,10 @@ so-elasticsearch:
       - /opt/so/conf/elasticsearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
       - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw
       - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw
+      - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
+
+    - watch:
+      - file: cacertz
 
 so-elasticsearch-pipelines-file:
   file.managed: