This example demonstrates how to use Transport Layer Security (TLS) for encrypting and verifying the communication with an Elasticsearch cluster by passing a custom certificate authority to the client.
Generate the certificates using the
elasticsearch-certutil
tool:
make certificatesSee the Encrypting communications in an Elasticsearch Docker Container tutorial for a complete overview.
Start the cluster with full security configuration:
make clusterSee the elasticsearch-cluster.yml file for details.
Use curl to verify access to the cluster:
curl --cacert certificates/ca/ca.crt https://elastic:elastic@localhost:9200
NOTE: On Mac OS X, you may need to add the certificate to the Keychain with
security add-trusted-cert -p ssl certificates/ca/ca.crt. To remove it, runsecurity remove-trusted-cert certificates/ca/ca.crt.
To pass the certificate authority (CA) to the client, so it can verify the server certificate,
use the elasticsearch.Config.CACert configuration option:
// --> Read the certificate from file
cert, _ := ioutil.ReadFile(*cacert)
es, _ := elasticsearch.NewClient(
elasticsearch.Config{
// ...
// --> Pass the certificate to the client
CACert: cert,
})Run the full example:
go run tls_with_ca.go
# [200 OK] {
# ...To configure the transport manually, use the
(*http.Transport).TLSClientConfig.RootCAs.AppendCertsFromPEM() method.
Run the full example:
go run tls_configure_ca.go
# [200 OK] {
# ...