You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{es} 8.0 offers security by default, that means authentication and TLS are enabled.
71
+
72
+
To connect to the {es} cluster you’ll need to configure the Ruby {es} client to use HTTPS with the generated CA certificate in order to make requests successfully.
73
+
74
+
If you’re just getting started with {es} we recommend reading the documentation on configuring and starting {es} to ensure your cluster is running as expected.
75
+
76
+
When you start {es} for the first time you’ll see a distinct block like the one below in the output from {es} (you may have to scroll up if it’s been a while):
Note down the `elastic` user password and HTTP CA fingerprint for the next sections. In the examples below they will be stored in the variables `ELASTIC_PASSWORD` and `CERT_FINGERPRINT` respectively.
94
+
95
+
Depending on the circumstances there are two options for verifying the HTTPS connection, either verifying with the CA certificate itself or via the HTTP CA certificate fingerprint.
96
+
97
+
98
+
[discrete]
99
+
[[ca-certificates]]
100
+
==== Verifying HTTPS with CA certificates
101
+
102
+
The generated root CA certificate can be found in the `certs` directory in your {es} config location (`$ES_CONF_PATH/certs/http_ca.crt`). If you're running {es} in Docker there is https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html[additional documentation for retrieving the CA certificate].
103
+
104
+
Once you have the `http_ca.crt` file somewhere accessible pass the path to the client via `ca_certs`:
==== Verifying HTTPS with certificate fingerprints
117
+
118
+
119
+
This method of verifying the HTTPS connection takes advantage of the certificate fingerprint value noted down earlier. Take this SHA256 fingerprint value and pass it to the Ruby {es} client via `ca_fingerprint`:
120
+
121
+
[source,ruby]
122
+
------------------------------------
123
+
# Colons and uppercase/lowercase don't matter when using
124
+
# the 'ca_fingerprint' parameter
125
+
CERT_FINGERPRINT = '64F2593F...'
126
+
127
+
# Password for the 'elastic' user generated by Elasticsearch
If you don't have access to the generated CA file from {es} you can use the following script to output the root CA fingerprint of the {es} instance with `openssl s_client`:
148
+
149
+
[source,sh]
150
+
----
151
+
# Replace the values of 'localhost' and '9200' to the
152
+
# corresponding host and port values for the cluster.
You can also use https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html[ApiKey] authentication.
76
172
77
-
NOTE: If you provide both basic authentication credentials and the ApiKey
78
-
configuration, the ApiKey takes precedence.
79
-
You can also use API Key authentication:
173
+
NOTE: If you provide both basic authentication credentials and the ApiKey configuration, the ApiKey takes precedence.
80
174
81
175
[source,ruby]
82
176
------------------------------------
@@ -140,24 +234,6 @@ Elasticsearch::Client.new(
140
234
)
141
235
------------------------------------
142
236
143
-
[discrete]
144
-
[[ca-fingerprint]]
145
-
==== CA fingerprint
146
-
147
-
You can configure the client to only trust certificates that are signed by a specific CA certificate (CA certificate pinning) by providing a `ca_fingerprint` option. This will verify that the fingerprint of the CA certificate that has signed the certificate of the server matches the supplied value:
0 commit comments