How to Install Elasticsearch on Ubuntu 22.04 with SSL

How to Install Elasticsearch on Ubuntu 22.04 with SSL. Elasticsearch 8 is a powerful scalable real time distributed search and data analysis. Here you will learn how to configure SSL to your Elasticsearch installation with Nginx reverse proxy on Ubuntu 22.04.

You will create a subdomain for your Elasticsearch service and install free Let’s Encrypt SSL certificate using Certbot.

This setup is tested on Google Cloud Platform running Ubuntu 22.04 LTS. So this guide will work perfect on other cloud service providers like AWS, Azure or any VPS or dedicated servers.

Prerequisites

• A server with minimum 2GB RAM and 2vCPU
• A user with sudo privileges.

Initial Server Setup

Start by updating the server software packages to the latest version available.

sudo apt update 
sudo apt upgrade

Configure Sub-Domain

Make sure you use a sub-domain to access your Elasticsearch installation.

Go to your DNS management section and create a new A record with the name of you wish for your subdomain (for example search) and value of your your server IP address.

So your sub-domain will look similar to the one below. If you wish to configure your main domain you can do that also.

search.yourdomain.com

Step 1: Install ElasticSearch

Java is already included with the Elasticsearch package, so you don’t want to install Java manually. Learn more about installing Java on Ubuntu 22.04.

Here we will install Elasticsearch 8.

Start by importing Elasticsearch repository’s GPG key.

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg

Add the repository to the sources list of your Ubuntu server or system.

echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list

Update the package list and install ElasticSearch.

sudo apt update
sudo apt install elasticsearch

Once the installation is completed you will receive the super user password, please note that and secure it.

------------------- Security autoconfiguration information ----------------------

Authentication and authorization are enabled.
TLS for the transport and HTTP layers is enabled and configured.

The generated password for the elastic built-in superuser is : houbJ1uivo5b=aVYYPa5

If this node should join an existing cluster, you can reconfigure this with
'/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>'
after creating an enrollment token on your existing cluster.

You can complete the following actions at any time:

Reset the password of the elastic built-in superuser with 
'/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'.

Generate an enrollment token for Kibana instances with 
 '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'.

Generate an enrollment token for Elasticsearch nodes with 
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'.

---------------------------------------------------------------------------------

Elasticsearch service is not started automatically upon installation, you need execute the below commands to configure Elasticsearch service to start automatically using systemd.

sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl start elasticsearch.service

Once Elasticsearch is installed you can restrict port 9200 from outside access by editing the elasticsearch.yml file and uncomment the network.host and replace the value with Internal IP or any IP or localhost.

sudo nano /etc/elasticsearch/elasticsearch.yml 

So it looks looks like this..

network.host: INTERNAL_IP

You can also use localhost as host or any IP address you wish.

Hit Ctrl+X followed by Y and Enter to save the file and exit.

Now start and enable Elasticsearch on server boot.

sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

Now make sure your Elasticsearch service is running.

sudo systemctl status elasticsearch

Step 2: Verify if Elasticsearch works

Test your installation by sending a HTTPs request by attaching the certificate using the below command.

Take note of the password you received earlier, you will need to use that while prompted.

sudo su
curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://INTERNAL_IP:9200

Enter the password while prompted.

You will receive a response as shown below.

{
  "name" : "elasticsearch-vm",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "vGrj3z4rQEWRBUdd9IhZWA",
  "version" : {
    "number" : "8.2.2",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "9876968ef3c745186b94fdabd4483e01499224ef",
    "build_date" : "2022-05-25T15:47:06.259735307Z",
    "build_snapshot" : false,
    "lucene_version" : "9.1.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

Step 3: Install and Configure Nginx for Elasticsearch

Now it’s time to install and configure Nginx. Execute the below command to install Nginx.

sudo apt install nginx

Now you can configure Nginx reverse proxy fro your Elasticsearch.

Remove default configurations

sudo rm /etc/nginx/sites-available/default
sudo rm /etc/nginx/sites-enabled/default

Create a new Nginx configuration file.

sudo nano /etc/nginx/sites-available/search.conf

Paste the following.

Note: You need to use exact same IP or localhost that you used in the host of Elasticsearch configuration.

server {
     listen [::]:80;
     listen 80;

     server_name search.yourdomain.com;

location / {
     proxy_pass http://INTERNAL_IP:9200;
     proxy_redirect off;
     proxy_read_timeout    90;
     proxy_connect_timeout 90;
     proxy_set_header  X-Real-IP  $remote_addr;
     proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header  Host $http_host;
} 

Save and exit the file.

Enable your configuration by creating a symbolic link.

sudo ln -s /etc/nginx/sites-available/search.conf /etc/nginx/sites-enabled/search.conf

Step 4: Install Let’s Encrypt SSL

HTTPS is a protocol for secure communication between a server (instance) and a client (web browser). Due to the introduction of Let’s Encrypt, which provides free SSL certificates, HTTPS are adopted by everyone and also provides trust to your audiences.

sudo apt install python3-certbot-nginx

Now we have installed Certbot by Let’s Encrypt for Ubuntu 22.04, run this command to receive your certificates.

sudo certbot --nginx --agree-tos --no-eff-email --redirect -m [email protected] -d search.domainname.com

This command will install Free SSL, configure redirection to HTTPS and restarts the Nginx server.

Step 5: Renewing SSL Certificate

Certificates provided by Let’s Encrypt are valid for 90 days only, so you need to renew them often. So, let’s test the renewal feature using the following command.

sudo certbot renew --dry-run

This command will test the certificate expiry and configures the auto-renewable feature.

Prepare yourself for a role working as an Information Technology Professional with Linux operating system

Conclusion

Now you have learned how to install Elasticsearch 8 and secure it with Let’s Encrypt free ssl on Ubuntu 22.04.

Thanks for your time. If you face any problem or any feedback, please leave a comment below.