Use the internmediate cert

2025-12-06 17:22:49 +01:00 · 2021-01-21 13:00:46 -05:00
parent b0914fa604
commit 9f984036c5
2 changed files with 11 additions and 19 deletions
--- a/salt/elasticsearch/files/elasticsearch.yml
+++ b/salt/elasticsearch/files/elasticsearch.yml
@@ -26,30 +26,17 @@ cluster.routing.allocation.disk.watermark.low: 95%
 cluster.routing.allocation.disk.watermark.high: 98%
 cluster.routing.allocation.disk.watermark.flood_stage: 98%
 #xpack.security.enabled: false
 #xpack.security.http.ssl.enabled: false
 xpack.security.transport.ssl.enabled: true
 xpack.security.transport.ssl.verification_mode: none
-xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/elasticsearch.p12
+xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key
-xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/elasticsearch.p12
+xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt
-#xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/sokeys
+xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/ca.crt" ]
 #xpack.security.transport.ssl.keystore.secure_password: changeit
 #xpack.security.transport.ssl.truststore.path: /etc/pki/java/cacerts
 #xpack.security.transport.ssl.truststore.password: changeit
 #xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key
 #xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt
 #xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/ca.crt" ]
 {%- if grains['role'] in ['so-node','so-heavynode'] %}
 xpack.security.http.ssl.enabled: true
 xpack.security.http.ssl.client_authentication: none
-xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/elasticsearch.p12
+xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key
-xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/elasticsearch.p12
+xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt
-#xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/sokeys
+xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt
 #xpack.security.http.ssl.keystore.secure_password: changeit
 #xpack.security.http.ssl.truststore.path: /etc/pki/java/cacerts
 #xpack.security.http.ssl.truststore.password: changeit
 #xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key
 #xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt
 #xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt
 {%- endif %}
 #xpack.security.authc:
 #  anonymous:
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -216,6 +216,11 @@ so-elasticsearch:
      - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw
      - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw
      - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
      {% if grains['role'] in ['so-manager','so-managersearch'] %}
      - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro
      {% else %}
      - /etc/ssl/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro
      {% endif %}
      - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro
      - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro
      - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro