Elasticsearch supports TLS encryption for its client endpoint, which - since ES 8.0 - is also its default mode of operation.
The way it works is that, on cluster initialization, an x509 CA will be generated, which will then be used to issue certificates to all nodes in the cluster. One can optionally also use a custom CA for this purpose.
For clients this means that they must be made aware of the used CA, otherwise verification of the certificate will fail when they connect to an ES endpoint.
For the PHP client this can be done with the
->setCABundle('path/to/http_ca.crt') call on the
Elasticsearch\ClientBuilder instance - see e.g. here.
An alternative form of establishing authenticity would be to have the client merely verify the fingerprint of the CA. I have however, at first glance, not seen how to make the PHP ES client do that.
As such: Please add support for a way to tell the ES client which CA is in use. By either:
- Allowing to specify (via config or admin GUI) the CA's fingerprint
- Or allowing to provide it (ideally via upload in the admin GUI) with the full CA certificate. A less convenient (for us 😉) solution would be that one can only specify the path to the CA certificate in the config/GUI, then we'd take care of having the CA in the proper place as part of the build/deployment process.