Revert "SSL support optimisation"

This reverts commit 80baf268e5.

tasks/xpack/elasticsearch-xpack-ssl.yml

@@ -2,9 +2,9 @@
 #ES_PATH_CONF="/etc/elasticsearch/ases1" && export ES_PATH_CONF
 #/usr/share/elasticsearch/bin/x-pack/setup-passwords auto --url https://localhost:9200
 
-- name: Check if {{ es_ssl_config['ca_folder'] }} folder exists
+- name: Check if /etc/ssl/elasticsearch folder exists
   file:
-    path: "{{ es_ssl_config['ca_folder'] }}"
+    path: /etc/ssl/elasticsearch
     state: directory
     owner: elasticsearch
     group: elasticsearch
@@ -13,7 +13,7 @@
 
 - name: Verify if elastic CA keys are present
   stat:
-    path: "{{ es_ssl_config['ca_folder'] }}/elastic-ca.p12"
+    path: "/etc/ssl/elasticsearch/elastic-ca.p12"
   become: true
   become_user: elasticsearch
   register: es_ssl_ca_present
@@ -22,11 +22,11 @@
 - name: Generate SSL/TLS CA Authority (required for platinum license)
   environment: 
     - ES_PATH_CONF: "{{conf_dir}}"
-  command: /usr/share/elasticsearch/bin/x-pack/certutil ca --silent -out {{ es_ssl_config['ca_folder'] }}/elastic-ca.p12 -pass "{{ es_ssl_config['ca_password'] }}"
+  command: /usr/share/elasticsearch/bin/x-pack/certutil ca --silent -out /etc/ssl/elasticsearch/elastic-ca.p12 -pass "test"
   become: true
   become_user: elasticsearch
   register: elastic_ca
-  when: es_platinum_license is defined and es_ssl_config is defined and es_ssl_config['ca_password'] is defined and (not es_ssl_ca_present.stat.exists or es_ssl_config['regen_certs'])
+  when: es_platinum_license is defined and es_ssl_config["enabled"] is defined and not es_ssl_ca_present.stat.exists
 
 - name: Check if /usr/local/share/ca-certificates/local-elastic-ca folder exists
   file:
@@ -38,14 +38,12 @@
   register: es_ca_folder
 
 - name: Extract CA certificate to the trusted CA folder
-  command: openssl pkcs12 -in {{ es_ssl_config['ca_folder'] }}/elastic-ca.p12 -clcerts -nokeys -out /usr/local/share/ca-certificates/local-elastic-ca/elastic-ca.crt -passin pass:{{ es_ssl_config['ca_password'] }}
-  when: es_ca_folder and es_ssl_config['ca_password'] is defined and (not es_ssl_ca_present.stat.exists or elastic_ca.changed)
-  register: es_ca_sytem_import_prep
+  command: openssl pkcs12 -in /etc/ssl/elasticsearch/elastic-ca.p12 -clcerts -nokeys -out /usr/local/share/ca-certificates/local-elastic-ca/elastic-ca.crt -passin pass:test
+  when: es_ca_folder
 
 - name: Add CA certificate to cacerts
   become: true
   command: update-ca-certificates
-  when: es_ca_sytem_import_prep.changed
 
 - name: Verify if elastic Cert keys are present
   stat:
@@ -54,58 +52,56 @@
   become_user: elasticsearch
   register: es_ssl_cert_present
 
-- name: Generate SSL/TLS certificate for primary ES (required for platinum license)
+- name: Generate SSL/TLS certificate for ES (required for platinum license)
   environment: 
     - ES_PATH_CONF: "{{conf_dir}}"
-  command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca {{ es_ssl_config['ca_folder'] }}/elastic-ca.p12 --ca-pass "{{ es_ssl_config['ca_password'] }}" --ip {{ es_ssl_config['ip'] }} --dns {{ es_ssl_config['dns'] }},localhost --out {{conf_dir}}/ssl/{{ es_ssl_config['dns'] }}.p12 --pass "{{ es_ssl_config['es_password'] }}"
+  command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca /etc/ssl/elasticsearch/elastic-ca.p12 --ca-pass "test" --ip {{ es_ssl_config['ip'] }} --dns {{ es_ssl_config['dns'] }},localhost --out {{conf_dir}}/ssl/{{ es_ssl_config['dns'] }}.p12 --pass "test"
   become: true
   become_user: elasticsearch
-  register: es_ssl_cert_generated
-  when: es_ssl_config is defined and es_ssl_config['regen_certs'] or not es_ssl_cert_present.stat.exists
+  when: es_ssl_regen_cert is defined or not es_ssl_cert_present.stat.exists
 
 - name: Add SSL/TLS keystore password to ES keystore (required for platinum license)
   environment: 
     - ES_PATH_CONF: "{{conf_dir}}"
-  shell: echo "{{ es_ssl_config['es_password'] }}" | /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.keystore.secure_password -x --force
+  shell: echo "test" | /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.keystore.secure_password -x --force
   become: true
   become_user: elasticsearch
-  when: es_ssl_cert_generated
+  when: elastic_ca
 
 - name: Add SSL/TLS truststore password to ES keystore (required for platinum license)
   environment: 
     - ES_PATH_CONF: "{{conf_dir}}"
-  shell: echo "{{ es_ssl_config['es_password'] }}" | /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.truststore.secure_password -x --force
+  shell: echo "test" | /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.truststore.secure_password -x --force
   become: true
   become_user: elasticsearch
-  when: es_ssl_cert_generated
+  when: elastic_ca
 
 - name: set fact es_http_type to HTTPS
   set_fact: es_http_type=https
-  when: es_ssl_cert_generated
+  when: elastic_ca
 
 ##################################### Kibana certificates #####################################
 
 - name: Verify if kibana Cert keys are present
   stat:
-    path: "{{ es_ssl_config['ca_folder'] }}/kb-{{ item }}.zip"
+    path: "/etc/ssl/elasticsearch/kb-{{ item }}.zip"
   become: true
   become_user: elasticsearch
   register: es_kb_ssl_cert_present
-  loop: "{{ groups['kibana_machines'] }}"
+  loop: "{{ groups['kibana_droplets'] }}"
 
-- name: Generate SSL/TLS certificates for Kibana machines
+- name: Generate SSL/TLS certificate for Kibana
   environment: 
     - ES_PATH_CONF: "{{conf_dir}}"
-  command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca {{ es_ssl_config['ca_folder'] }}/elastic-ca.p12 --ca-pass "test" --ip "{{ hostvars[item.item].ansible_host }}" --dns {{ item.item }},localhost --out {{ es_ssl_config['ca_folder'] }}/kb-{{ item.item }}.zip --pem --name {{ item.item }}
+  command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca /etc/ssl/elasticsearch/elastic-ca.p12 --ca-pass "test" --ip "{{ hostvars[item.item].ansible_host }}" --dns {{ item.item }},localhost --out /etc/ssl/elasticsearch/kb-{{ item.item }}.zip --pem --name {{ item.item }}
   become: true
   become_user: elasticsearch
-  when: es_ssl_config is defined and es_ssl_config['regen_certs'] or not item.stat.exists
-  # with_items: "{{ es_kb_ssl_cert_present.results }}"
+  when: es_ssl_regen_certs is defined or not item.stat.exists
   loop: "{{ es_kb_ssl_cert_present.results }}"
 
-- name: Find kibana certificates in {{ es_ssl_config['ca_folder'] }}
+- name: Find kibana certificates in /etc/ssl/elasticsearch
   find:
-    paths: "{{ es_ssl_config['ca_folder'] }}"
+    paths: /etc/ssl/elasticsearch
     patterns: 'kb-.*\.zip'
     use_regex: yes
   register: es_kb_ssl_cert_archives
@@ -113,14 +109,28 @@
 - debug:
     msg: "Found Kibana certificate ZIP files: {{ es_kb_ssl_cert_archives }}"
 
-# Maybe encrypt certificates first as these are not p12 files?
-# Generate a private/public key pair
-# $ openssl genrsa -out rsa_key.pri 2048; openssl rsa -in rsa_key.pri -out rsa_key.pub -outform PEM -pubout
-# Encrypt the string using public key, and store in a file
-# $ echo "stockexchange.com" | openssl rsautl -encrypt -inkey rsa_key.pub -pubin -out secret.dat
-# Un-encrypt using private key
-# $ string=`openssl rsautl -decrypt -inkey rsa_key.pri -in secret.dat `; echo $string
-# stockexchange.com
+# - name: Unarchive certificates for Kibana
+  # unarchive:
+  #   src: "{{item.path}}"
+  #   dest: "{{item.path | regex_replace('(.*).zip$', '\\1')}}"
+  #   remote_src: yes
+  # become: true
+  # become_user: elasticsearch
+  # loop: "{{ es_kb_ssl_cert_archives.files }}"
+
+# - name: Unarchive certificates for Kibana
+#   command: unzip {{item.path}}
+#   become: true
+#   become_user: elasticsearch
+#   loop: "{{ es_kb_ssl_cert_archives.files }}"
+
+# - name: Find kibana certificate directories in /etc/ssl/elasticsearch
+#   find:
+#     paths: /etc/ssl/elasticsearch
+#     patterns: 'kb-.*'
+#     use_regex: yes
+#     file_type: directory
+#   register: es_kb_ssl_cert_folder
 
 - name: Fetch certificates for Kibana
   fetch:

templates/elasticsearch.yml.j2

@@ -57,25 +57,19 @@ xpack.graph.enabled: false
 {% endif %}
 {% endif %}
 
-{% if es_ssl_config is defined %}
+{% if es_ssl_config['enabled'] is defined %}
 xpack.security.transport.ssl.enabled: true
 xpack.security.http.ssl.enabled: true
-xpack.security.http.ssl.keystore.path: "{{ es_ssl_config['keystore'] }}"
-{% if es_ssl_config['keystore_password'] is defined and es_ssl_config['legacy_password_config'] %}
+xpack.security.http.ssl.keystore.path: {{conf_dir}}/ssl/{{es_ssl_config['dns']}}.p12
 #Legacy config required for /usr/share/elasticsearch/bin/x-pack/setup-passwords
-xpack.security.http.ssl.keystore.password: "{{ es_ssl_config['keystore_password'] }}"
-{% endif %}
-xpack.security.http.ssl.truststore.path: "{{ es_ssl_config['truststore'] }}"
-{% if es_ssl_config['truststore_password'] is defined and es_ssl_config['legacy_password_config'] %}
+xpack.security.http.ssl.keystore.password: "test"
+xpack.security.http.ssl.truststore.path: {{conf_dir}}/ssl/{{es_ssl_config['dns']}}.p12
 #Legacy config required for /usr/share/elasticsearch/bin/x-pack/setup-passwords
-xpack.security.http.ssl.truststore.password: "{{ es_ssl_config['truststore_password'] }}"
-{% endif %}
-{% if es_ssl_config['client_authentication'] is defined %}
-xpack.security.http.ssl.client_authentication: {{ es_ssl_config['client_authentication'] }}
-{% endif %}
+xpack.security.http.ssl.truststore.password: "test"
+xpack.security.http.ssl.client_authentication: none
 {% endif %}
 
-{% if es_mail_config is defined %}
+{% if es_mail_config['account'] is defined %}
 xpack.notification.email:
   account:
     {{ es_mail_config['account'] }}:
@@ -89,5 +83,6 @@ xpack.notification.email:
         {% if es_mail_config['require_auth'] == true %}
         user: {{ es_mail_config['user'] }}
         password: {{ es_mail_config['pass'] }}
-        {% endif %}  
+        {% endif %}
+        
 {% endif %}