How to Install Elasticsearch on Ubuntu 22.04 with SSL. Elasticsearch 8 is a powerful scalable real time distributed search and data analysis. Here you will learn how to configure SSL to your Elasticsearch installation with Nginx reverse proxy on Ubuntu 22.04.
You will create a subdomain for your Elasticsearch service and install free Let’s Encrypt SSL certificate using Certbot.
This setup is tested on Google Cloud Platform running Ubuntu 22.04 LTS. So this guide will work perfect on other cloud service providers like AWS, Azure or any VPS or dedicated servers.
Prerequisites
- A server with minimum 2GB RAM and 2vCPU
- A user with sudo privileges.
Initial Server Setup
Start by updating the server software packages to the latest version available.
sudo apt update sudo apt upgrade
Configure Sub-Domain
Make sure you use a sub-domain to access your Elasticsearch installation.
Go to your DNS management section and create a new A record with the name of you wish for your subdomain (for example search) and value of your your server IP address.
So your sub-domain will look similar to the one below. If you wish to configure your main domain you can do that also.
search.yourdomain.com
Step 1: Install ElasticSearch
Java is already included with the Elasticsearch package, so you don’t want to install Java manually. Learn more about installing Java on Ubuntu 22.04.
Here we will install Elasticsearch 8.
Start by importing Elasticsearch repository’s GPG key.
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
Add the repository to the sources list of your Ubuntu server or system.
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
Update the package list and install ElasticSearch.
sudo apt update sudo apt install elasticsearch
Once the installation is completed you will receive the super user password, please note that and secure it.
------------------- Security autoconfiguration information ----------------------
Authentication and authorization are enabled.
TLS for the transport and HTTP layers is enabled and configured.
The generated password for the elastic built-in superuser is : houbJ1uivo5b=aVYYPa5
If this node should join an existing cluster, you can reconfigure this with
'/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>'
after creating an enrollment token on your existing cluster.
You can complete the following actions at any time:
Reset the password of the elastic built-in superuser with
'/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'.
Generate an enrollment token for Kibana instances with
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'.
Generate an enrollment token for Elasticsearch nodes with
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'.
---------------------------------------------------------------------------------
Elasticsearch service is not started automatically upon installation, you need execute the below commands to configure Elasticsearch service to start automatically using systemd.
sudo systemctl daemon-reload sudo systemctl enable elasticsearch.service sudo systemctl start elasticsearch.service
Once Elasticsearch is installed you can restrict port 9200 from outside access by editing the elasticsearch.yml file and uncomment the network.host and replace the value with Internal IP or any IP or localhost.
sudo nano /etc/elasticsearch/elasticsearch.yml
So it looks looks like this..
network.host: INTERNAL_IP
You can also use localhost as host or any IP address you wish.
Hit Ctrl+X followed by Y and Enter to save the file and exit.
Now start and enable Elasticsearch on server boot.
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch
Now make sure your Elasticsearch service is running.
sudo systemctl status elasticsearch
Step 2: Verify if Elasticsearch works
Test your installation by sending a HTTPs request by attaching the certificate using the below command.
Take note of the password you received earlier, you will need to use that while prompted.
sudo su
curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://INTERNAL_IP:9200
Enter the password while prompted.
You will receive a response as shown below.
{
"name" : "elasticsearch-vm",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "vGrj3z4rQEWRBUdd9IhZWA",
"version" : {
"number" : "8.2.2",
"build_flavor" : "default",
"build_type" : "deb",
"build_hash" : "9876968ef3c745186b94fdabd4483e01499224ef",
"build_date" : "2022-05-25T15:47:06.259735307Z",
"build_snapshot" : false,
"lucene_version" : "9.1.0",
"minimum_wire_compatibility_version" : "7.17.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "You Know, for Search"
}
Step 3: Install and Configure Nginx for Elasticsearch
Now it’s time to install and configure Nginx. Execute the below command to install Nginx.
sudo apt install nginx
Now you can configure Nginx reverse proxy fro your Elasticsearch.
Remove default configurations
sudo rm /etc/nginx/sites-available/default sudo rm /etc/nginx/sites-enabled/default
Create a new Nginx configuration file.
sudo nano /etc/nginx/sites-available/search.conf
Paste the following.
Note: You need to use exact same IP or localhost that you used in the host of Elasticsearch configuration.
server {
listen [::]:80;
listen 80;
server_name search.yourdomain.com;
location / {
proxy_pass http://INTERNAL_IP:9200;
proxy_redirect off;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
Save and exit the file.
Enable your configuration by creating a symbolic link.
sudo ln -s /etc/nginx/sites-available/search.conf /etc/nginx/sites-enabled/search.conf
Step 4: Install Let’s Encrypt SSL
HTTPS is a protocol for secure communication between a server (instance) and a client (web browser). Due to the introduction of Let’s Encrypt, which provides free SSL certificates, HTTPS are adopted by everyone and also provides trust to your audiences.
sudo apt install python3-certbot-nginx
Now we have installed Certbot by Let’s Encrypt for Ubuntu 22.04, run this command to receive your certificates.
sudo certbot --nginx --agree-tos --no-eff-email --redirect -m [email protected] -d search.domainname.com
This command will install Free SSL, configure redirection to HTTPS and restarts the Nginx server.
Step 5: Renewing SSL Certificate
Certificates provided by Let’s Encrypt are valid for 90 days only, so you need to renew them often. So, let’s test the renewal feature using the following command.
sudo certbot renew --dry-run
This command will test the certificate expiry and configures the auto-renewable feature.
Prepare yourself for a role working as an Information Technology Professional with Linux operating system
Conclusion
Now you have learned how to install Elasticsearch 8 and secure it with Let’s Encrypt free ssl on Ubuntu 22.04.
Thanks for your time. If you face any problem or any feedback, please leave a comment below.
2 Comments
From “Step 3: Install and Configure Nginx for Elasticsearch” there seems to be a disconnect as it does not work unless you set “xpack.security.enabled: false” which in itself is not ideal unless you have enabled ufw to allow only port 443 before doing so (ufw allow https and ufw enable). It would be preferable if you could detail setting up nginx to allow access to elasticsearch with “xpack.security.enabled: true”
Port 9200 is now HTTPS – Revers Proxy with HTTP – will not work. Cheers