ansible-role-elasticsearch/tasks/xpack/elasticsearch-xpack-ssl.yml

#### Install SSL/TLS certificates when platinum license is present
#ES_PATH_CONF="/etc/elasticsearch/ases1" && export ES_PATH_CONF
#/usr/share/elasticsearch/bin/x-pack/setup-passwords auto --url https://localhost:9200

- name: Check if {{ es_ssl_config['ca_folder'] }} folder exists
  file:
    path: "{{ es_ssl_config['ca_folder'] }}"
    state: directory
    owner: elasticsearch
    group: elasticsearch
    mode: 0755
  register: es_ssl_folder

- name: Verify if elastic CA keys are present
  stat:
    path: "{{ es_ssl_config['ca_folder'] }}/elastic-ca.p12"
  become: true
  become_user: elasticsearch
  register: es_ssl_ca_present
  when: es_ssl_folder

- name: Generate SSL/TLS CA Authority (required for platinum license)
  environment: 
    - ES_PATH_CONF: "{{conf_dir}}"
  command: /usr/share/elasticsearch/bin/x-pack/certutil ca --silent -out {{ es_ssl_config['ca_folder'] }}/elastic-ca.p12 -pass "{{ es_ssl_config['ca_password'] }}"
  become: true
  become_user: elasticsearch
  register: elastic_ca
  when: es_platinum_license is defined and es_ssl_config is defined and es_ssl_config['ca_password'] is defined and (not es_ssl_ca_present.stat.exists or es_ssl_config['regen_certs'])

- name: Check if /usr/local/share/ca-certificates/local-elastic-ca folder exists
  file:
    path: /usr/local/share/ca-certificates/local-elastic-ca
    state: directory
    owner: root
    group: root
    mode: 0755
  register: es_ca_folder

- name: Extract CA certificate to the trusted CA folder
  command: openssl pkcs12 -in {{ es_ssl_config['ca_folder'] }}/elastic-ca.p12 -clcerts -nokeys -out /usr/local/share/ca-certificates/local-elastic-ca/elastic-ca.crt -passin pass:{{ es_ssl_config['ca_password'] }}
  when: es_ca_folder and es_ssl_config['ca_password'] is defined and (not es_ssl_ca_present.stat.exists or elastic_ca.changed)
  register: es_ca_sytem_import_prep

- name: Add CA certificate to cacerts
  become: true
  command: update-ca-certificates
  when: es_ca_sytem_import_prep.changed

- name: Verify if elastic Cert keys are present
  stat:
    path: "{{conf_dir}}/ssl/{{ es_ssl_config['dns'] }}.p12"
  become: true
  become_user: elasticsearch
  register: es_ssl_cert_present

- name: Generate SSL/TLS certificate for primary ES (required for platinum license)
  environment: 
    - ES_PATH_CONF: "{{conf_dir}}"
  command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca {{ es_ssl_config['ca_folder'] }}/elastic-ca.p12 --ca-pass "{{ es_ssl_config['ca_password'] }}" --ip {{ es_ssl_config['ip'] }} --dns {{ es_ssl_config['dns'] }},localhost --out {{conf_dir}}/ssl/{{ es_ssl_config['dns'] }}.p12 --pass "{{ es_ssl_config['es_password'] }}"
  become: true
  become_user: elasticsearch
  register: es_ssl_cert_generated
  when: es_ssl_config is defined and es_ssl_config['regen_certs'] or not es_ssl_cert_present.stat.exists

- name: Add SSL/TLS keystore password to ES keystore (required for platinum license)
  environment: 
    - ES_PATH_CONF: "{{conf_dir}}"
  shell: echo "{{ es_ssl_config['es_password'] }}" | /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.keystore.secure_password -x --force
  become: true
  become_user: elasticsearch
  when: es_ssl_cert_generated

- name: Add SSL/TLS truststore password to ES keystore (required for platinum license)
  environment: 
    - ES_PATH_CONF: "{{conf_dir}}"
  shell: echo "{{ es_ssl_config['es_password'] }}" | /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.truststore.secure_password -x --force
  become: true
  become_user: elasticsearch
  when: es_ssl_cert_generated

- name: set fact es_http_type to HTTPS
  set_fact: es_http_type=https
  when: es_ssl_cert_generated

##################################### Kibana certificates #####################################

- name: Verify if kibana Cert keys are present
  stat:
    path: "{{ es_ssl_config['ca_folder'] }}/kb-{{ item }}.zip"
  become: true
  become_user: elasticsearch
  register: es_kb_ssl_cert_present
  loop: "{{ groups['kibana_machines'] }}"

- name: Generate SSL/TLS certificates for Kibana machines
  environment: 
    - ES_PATH_CONF: "{{conf_dir}}"
  command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca {{ es_ssl_config['ca_folder'] }}/elastic-ca.p12 --ca-pass "test" --ip "{{ hostvars[item.item].ansible_host }}" --dns {{ item.item }},localhost --out {{ es_ssl_config['ca_folder'] }}/kb-{{ item.item }}.zip --pem --name {{ item.item }}
  become: true
  become_user: elasticsearch
  when: es_ssl_config is defined and es_ssl_config['regen_certs'] or not item.stat.exists
  # with_items: "{{ es_kb_ssl_cert_present.results }}"
  loop: "{{ es_kb_ssl_cert_present.results }}"

- name: Find kibana certificates in {{ es_ssl_config['ca_folder'] }}
  find:
    paths: "{{ es_ssl_config['ca_folder'] }}"
    patterns: 'kb-.*\.zip'
    use_regex: yes
  register: es_kb_ssl_cert_archives

- debug:
    msg: "Found Kibana certificate ZIP files: {{ es_kb_ssl_cert_archives }}"

# Maybe encrypt certificates first as these are not p12 files?
# Generate a private/public key pair
# $ openssl genrsa -out rsa_key.pri 2048; openssl rsa -in rsa_key.pri -out rsa_key.pub -outform PEM -pubout
# Encrypt the string using public key, and store in a file
# $ echo "stockexchange.com" | openssl rsautl -encrypt -inkey rsa_key.pub -pubin -out secret.dat
# Un-encrypt using private key
# $ string=`openssl rsautl -decrypt -inkey rsa_key.pri -in secret.dat `; echo $string
# stockexchange.com

- name: Fetch certificates for Kibana
  fetch:
    src: "{{item.path}}"
    dest: /tmp/certs/
    flat: true
  loop: "{{ es_kb_ssl_cert_archives.files }}"

- name: Fetch CA certificate from primary ES server
  fetch:
    src: /usr/local/share/ca-certificates/local-elastic-ca/elastic-ca.crt
    dest: /tmp/certs/
    flat: true
Added more x-pack config options 2018-05-03 16:45:04 +02:00			`#### Install SSL/TLS certificates when platinum license is present`
			`#ES_PATH_CONF="/etc/elasticsearch/ases1" && export ES_PATH_CONF`
			`#/usr/share/elasticsearch/bin/x-pack/setup-passwords auto --url https://localhost:9200`

SSL support optimisation 2018-05-05 07:42:08 +02:00			`- name: Check if {{ es_ssl_config['ca_folder'] }} folder exists`
Added more x-pack config options 2018-05-03 16:45:04 +02:00			`file:`
SSL support optimisation 2018-05-05 07:42:08 +02:00			`path: "{{ es_ssl_config['ca_folder'] }}"`
Added more x-pack config options 2018-05-03 16:45:04 +02:00			`state: directory`
			`owner: elasticsearch`
			`group: elasticsearch`
			`mode: 0755`
			`register: es_ssl_folder`

			`- name: Verify if elastic CA keys are present`
			`stat:`
SSL support optimisation 2018-05-05 07:42:08 +02:00			`path: "{{ es_ssl_config['ca_folder'] }}/elastic-ca.p12"`
Added more x-pack config options 2018-05-03 16:45:04 +02:00			`become: true`
			`become_user: elasticsearch`
			`register: es_ssl_ca_present`
			`when: es_ssl_folder`

			`- name: Generate SSL/TLS CA Authority (required for platinum license)`
			`environment:`
			`- ES_PATH_CONF: "{{conf_dir}}"`
SSL support optimisation 2018-05-05 07:42:08 +02:00			`command: /usr/share/elasticsearch/bin/x-pack/certutil ca --silent -out {{ es_ssl_config['ca_folder'] }}/elastic-ca.p12 -pass "{{ es_ssl_config['ca_password'] }}"`
Added more x-pack config options 2018-05-03 16:45:04 +02:00			`become: true`
			`become_user: elasticsearch`
			`register: elastic_ca`
SSL support optimisation 2018-05-05 07:42:08 +02:00			`when: es_platinum_license is defined and es_ssl_config is defined and es_ssl_config['ca_password'] is defined and (not es_ssl_ca_present.stat.exists or es_ssl_config['regen_certs'])`
Added more x-pack config options 2018-05-03 16:45:04 +02:00
			`- name: Check if /usr/local/share/ca-certificates/local-elastic-ca folder exists`
			`file:`
			`path: /usr/local/share/ca-certificates/local-elastic-ca`
			`state: directory`
			`owner: root`
			`group: root`
			`mode: 0755`
			`register: es_ca_folder`

			`- name: Extract CA certificate to the trusted CA folder`
SSL support optimisation 2018-05-05 07:42:08 +02:00			`command: openssl pkcs12 -in {{ es_ssl_config['ca_folder'] }}/elastic-ca.p12 -clcerts -nokeys -out /usr/local/share/ca-certificates/local-elastic-ca/elastic-ca.crt -passin pass:{{ es_ssl_config['ca_password'] }}`
			`when: es_ca_folder and es_ssl_config['ca_password'] is defined and (not es_ssl_ca_present.stat.exists or elastic_ca.changed)`
			`register: es_ca_sytem_import_prep`
Added more x-pack config options 2018-05-03 16:45:04 +02:00
			`- name: Add CA certificate to cacerts`
			`become: true`
			`command: update-ca-certificates`
SSL support optimisation 2018-05-05 07:42:08 +02:00			`when: es_ca_sytem_import_prep.changed`
Added more x-pack config options 2018-05-03 16:45:04 +02:00
			`- name: Verify if elastic Cert keys are present`
			`stat:`
			`path: "{{conf_dir}}/ssl/{{ es_ssl_config['dns'] }}.p12"`
			`become: true`
			`become_user: elasticsearch`
			`register: es_ssl_cert_present`

SSL support optimisation 2018-05-05 07:42:08 +02:00			`- name: Generate SSL/TLS certificate for primary ES (required for platinum license)`
Added more x-pack config options 2018-05-03 16:45:04 +02:00			`environment:`
			`- ES_PATH_CONF: "{{conf_dir}}"`
SSL support optimisation 2018-05-05 07:42:08 +02:00			`command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca {{ es_ssl_config['ca_folder'] }}/elastic-ca.p12 --ca-pass "{{ es_ssl_config['ca_password'] }}" --ip {{ es_ssl_config['ip'] }} --dns {{ es_ssl_config['dns'] }},localhost --out {{conf_dir}}/ssl/{{ es_ssl_config['dns'] }}.p12 --pass "{{ es_ssl_config['es_password'] }}"`
Added more x-pack config options 2018-05-03 16:45:04 +02:00			`become: true`
			`become_user: elasticsearch`
SSL support optimisation 2018-05-05 07:42:08 +02:00			`register: es_ssl_cert_generated`
			`when: es_ssl_config is defined and es_ssl_config['regen_certs'] or not es_ssl_cert_present.stat.exists`
Added more x-pack config options 2018-05-03 16:45:04 +02:00
			`- name: Add SSL/TLS keystore password to ES keystore (required for platinum license)`
			`environment:`
			`- ES_PATH_CONF: "{{conf_dir}}"`
SSL support optimisation 2018-05-05 07:42:08 +02:00			`shell: echo "{{ es_ssl_config['es_password'] }}" \| /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.keystore.secure_password -x --force`
Added more x-pack config options 2018-05-03 16:45:04 +02:00			`become: true`
			`become_user: elasticsearch`
SSL support optimisation 2018-05-05 07:42:08 +02:00			`when: es_ssl_cert_generated`
Added more x-pack config options 2018-05-03 16:45:04 +02:00
			`- name: Add SSL/TLS truststore password to ES keystore (required for platinum license)`
			`environment:`
			`- ES_PATH_CONF: "{{conf_dir}}"`
SSL support optimisation 2018-05-05 07:42:08 +02:00			`shell: echo "{{ es_ssl_config['es_password'] }}" \| /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.truststore.secure_password -x --force`
Added more x-pack config options 2018-05-03 16:45:04 +02:00			`become: true`
			`become_user: elasticsearch`
SSL support optimisation 2018-05-05 07:42:08 +02:00			`when: es_ssl_cert_generated`
Added more x-pack config options 2018-05-03 16:45:04 +02:00
			`- name: set fact es_http_type to HTTPS`
			`set_fact: es_http_type=https`
SSL support optimisation 2018-05-05 07:42:08 +02:00			`when: es_ssl_cert_generated`
Added more x-pack config options 2018-05-03 16:45:04 +02:00
			`##################################### Kibana certificates #####################################`

			`- name: Verify if kibana Cert keys are present`
			`stat:`
SSL support optimisation 2018-05-05 07:42:08 +02:00			`path: "{{ es_ssl_config['ca_folder'] }}/kb-{{ item }}.zip"`
Added more x-pack config options 2018-05-03 16:45:04 +02:00			`become: true`
			`become_user: elasticsearch`
			`register: es_kb_ssl_cert_present`
SSL support optimisation 2018-05-05 07:42:08 +02:00			`loop: "{{ groups['kibana_machines'] }}"`
Added more x-pack config options 2018-05-03 16:45:04 +02:00
SSL support optimisation 2018-05-05 07:42:08 +02:00			`- name: Generate SSL/TLS certificates for Kibana machines`
Added more x-pack config options 2018-05-03 16:45:04 +02:00			`environment:`
			`- ES_PATH_CONF: "{{conf_dir}}"`
SSL support optimisation 2018-05-05 07:42:08 +02:00			`command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca {{ es_ssl_config['ca_folder'] }}/elastic-ca.p12 --ca-pass "test" --ip "{{ hostvars[item.item].ansible_host }}" --dns {{ item.item }},localhost --out {{ es_ssl_config['ca_folder'] }}/kb-{{ item.item }}.zip --pem --name {{ item.item }}`
Added more x-pack config options 2018-05-03 16:45:04 +02:00			`become: true`
			`become_user: elasticsearch`
SSL support optimisation 2018-05-05 07:42:08 +02:00			`when: es_ssl_config is defined and es_ssl_config['regen_certs'] or not item.stat.exists`
			`# with_items: "{{ es_kb_ssl_cert_present.results }}"`
Added more x-pack config options 2018-05-03 16:45:04 +02:00			`loop: "{{ es_kb_ssl_cert_present.results }}"`

SSL support optimisation 2018-05-05 07:42:08 +02:00			`- name: Find kibana certificates in {{ es_ssl_config['ca_folder'] }}`
Added more x-pack config options 2018-05-03 16:45:04 +02:00			`find:`
SSL support optimisation 2018-05-05 07:42:08 +02:00			`paths: "{{ es_ssl_config['ca_folder'] }}"`
Added more x-pack config options 2018-05-03 16:45:04 +02:00			`patterns: 'kb-.*\.zip'`
			`use_regex: yes`
			`register: es_kb_ssl_cert_archives`

			`- debug:`
			`msg: "Found Kibana certificate ZIP files: {{ es_kb_ssl_cert_archives }}"`

SSL support optimisation 2018-05-05 07:42:08 +02:00			`# Maybe encrypt certificates first as these are not p12 files?`
			`# Generate a private/public key pair`
			`# $ openssl genrsa -out rsa_key.pri 2048; openssl rsa -in rsa_key.pri -out rsa_key.pub -outform PEM -pubout`
			`# Encrypt the string using public key, and store in a file`
			`# $ echo "stockexchange.com" \| openssl rsautl -encrypt -inkey rsa_key.pub -pubin -out secret.dat`
			`# Un-encrypt using private key`
			# $ string=`openssl rsautl -decrypt -inkey rsa_key.pri -in secret.dat `; echo $string
			`# stockexchange.com`
Added more x-pack config options 2018-05-03 16:45:04 +02:00
			`- name: Fetch certificates for Kibana`
			`fetch:`
			`src: "{{item.path}}"`
			`dest: /tmp/certs/`
			`flat: true`
			`loop: "{{ es_kb_ssl_cert_archives.files }}"`

			`- name: Fetch CA certificate from primary ES server`
			`fetch:`
			`src: /usr/local/share/ca-certificates/local-elastic-ca/elastic-ca.crt`
			`dest: /tmp/certs/`
			`flat: true`