Comments (15)
Example of how someone else did it: https://github.com/swimlane/elk-tls-docker
from elastdocker.
Do you need help with this?
from elastdocker.
I'm back with an idea, and would like some input from repo maintainers on if they think this is a good solution.
I have tested a docker-compose setup that uses the official certbot container to auto-generate certs. Certbot shares a volume with nginx, and nginx uses the files put in that volume by certbot for TLS. Below is an example configuration:
services:
certbot:
container_name: certbot
image: certbot/certbot
volumes:
- ./volumes/certbot/conf/:/etc/letsencrypt/
- ./volumes/certbot/www/:/var/www/certbot/
restart: unless-stopped
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
nginx:
container_name: nginx
build:
context: ./nginx
args:
DOMAIN: ${DOMAIN}
ports:
- "80:80"
- "443:443"
volumes:
- ./volumes/certbot/conf/:/etc/letsencrypt/
- ./volumes/certbot/www/:/var/www/certbot/
environment:
EMAIL: ${EMAIL}
restart: unless-stopped
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
What do you all think about this solution? Is this the right direction to start in?
from elastdocker.
I haven't been having enough time to add it to Elastdocker myself, any help would be appreciated of course ❤️
from elastdocker.
ok , did you have something in mind on how it should be done ?
from elastdocker.
i was thinking using certbot and creating make setup-letsencrypt
then compiling in directory to create certs. or do you have some other idea ?
from elastdocker.
would like to push this topic:) Any plans here?
from elastdocker.
Another year, another person interested in this feature :) I'm swamped through Monday but if I get some free time next week I might look into elk-tls-docker's implementation as @wallopthecat mentioned and see if I can finally make a PR for this.
from elastdocker.
No longer Monday, but I did not forget about this. It's on my to-do list.
from elastdocker.
I'm back with some ideas. I've seen some services use a certbot container and mount the volume from that to an nginx container. In this case we could just mount it to the kibana container and configure kibana to use the certs from that volume. Here's an example.
Do you think we should add an nginx frontend? If so, should we make a separate compose file for "production" deployments? I'd like some feedback from the repo maintainer (@sherifabdlnaby) before moving forward with this.
from elastdocker.
+1 also looking for a solution for this.
from elastdocker.
Documentation will also need to be updated because there would be some prerequisite work that would need to be done (setting up DNS and port forwarding so letsencrypt can reach the service).
from elastdocker.
It's really up to @sherifabdlnaby if he wants to add to the scope of this project. Anyone is able to deploy the above docker-compose file and add their own nginx configurations create a reverse proxy to kibana. It's just a matter of whether we want this project to handle that when needed, or just provide instructions on how people can do that themselves.
from elastdocker.
Problem with LE (e.g. with certbot as proposed by @lawndoc) is that LE normally needs public access to the webserver. Which is not possible especially for private test setups.
OTOH so far we had good experience with mkcert
which needs to be run at the host. It creates a CA which is added to the systems and browsers trust store automatically and then creates certificates which we mount into the containers.
from elastdocker.
There is a quite easy way to get letsencrypt certificates into elastdocker, although this method is not containerized itself.
This also uses the same certificate for all services.
Install certbot and get your certificate with the "certonly" command.
This saves the cert into /etc/letsencrypt/live/elastic.mydomain.com/
Create cronjob for auto-renewal:
SLEEPTIME=$(awk 'BEGIN{srand(); print int(rand()*(3600+1))}'); echo "0 0,12 * * * root sleep $SLEEPTIME && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
Create a post-hook script that copies the cert, ca, and key into your elastdocker setup and run it ONCE manually
(Anyone fluent in bash is welcome to pimp this one up :) )
#/etc/letsencrypt/renewal-hooks/post/certbot-post-hook.sh
cat /etc/letsencrypt/live/elastic.mydomain.com/fullchain.pem > /mnt/data/elastdocker/secrets/certs/elasticsearch/elasticsearch.crt
cat /etc/letsencrypt/live/elastic.mydomain.com/fullchain.pem > /mnt/data/elastdocker/secrets/certs/kibana/kibana.crt
cat /etc/letsencrypt/live/elastic.mydomain.com/fullchain.pem > /mnt/data/elastdocker/secrets/certs/apm-server/apm-server.crt
cat /etc/letsencrypt/live/elastic.mydomain.com/privkey.pem > /mnt/data/elastdocker/secrets/certs/elasticsearch/elasticsearch.key
cat /etc/letsencrypt/live/elastic.mydomain.com/privkey.pem > /mnt/data/elastdocker/secrets/certs/kibana/kibana.key
cat /etc/letsencrypt/live/elastic.mydomain.com/privkey.pem > /mnt/data/elastdocker/secrets/certs/apm-server/apm-server.key
Modify permissions for hook script:
chmod 750 /etc/letsencrypt/renewal-hooks/post/certbot-post-hook.sh
Get Letsencrypt root cert:
wget https://letsencrypt.org/certs/isrgrootx1.pem
and copy it into your setup once
cat ./isrgrootx1.pem > /mnt/data/elastdocker/secrets/certs/ca/ca.crt
Set the correct hostname in the .env file
ELASTICSEARCH_HOST=elastic.mydomain.com
Thats it.
from elastdocker.
Related Issues (20)
- Kibana web not open HOT 2
- Unable to see logstash under Cluster overview and encountering error [ERROR][logstash.licensechecker.licensereader] HOT 7
- permission issue on /usr/share/elasticsearch/.aws/config HOT 8
- command not found on setup HOT 1
- Fleet server + Agent option HOT 1
- Exiting: error connecting to Kibana: fail to get the Kibana version: fail to parse kibana version (): passed version is not semver: HOT 1
- Running cert errors HOT 4
- README error in Configuration section HOT 1
- Elastalert missing HOT 1
- fail connecting apm-server to kibana
- An unexpected authentication error occurred. Please log in again.
- can not change port
- No Kibana Token
- APM server does not start with default configuration HOT 8
- Unable to connect with localhost url HOT 1
- Not Getting any dashboard after the installation of elastic-agent HOT 2
- Forgot to set volumes.elasticsearch-data during installation :( HOT 1
- Can't login with default id/pw HOT 1
- org.elasticsearch.ElasticsearchException: not all primary shards of [.geoip_databases] index are active
- Enable config option to run Kibana over http HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from elastdocker.