I generated a certificate file with certbot. It is placed in /etc/letsencrypt/....
I created a group called elk where I added the elasticsearch user, and I recursively set it as the owning group for /etc/letsencrypt and recursively set the permissions to 770.
When I start elasticsearch via systemctl start elasticsearch.service, it is not able to read the file? Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/letsencrypt/live/<domain>/fullchain.pem" "read")
Why is that?
What strategy would you recommend to be able to use the same certificate for elasticsearch and kibana?
You should check the following permissions:
In best practice, it's recommended to keep certificates in
/etc/elasticsearchdirectory. So I recommend the following steps for linux env.mkdir /etc/elasticsearch/certscp /etc/letsencrypt/live/<domain>/* /etc/elasticsearch/certs/chown elasticsearch:elasticsearch /etc/elasticsearch/certs/ -RYou can use the same certificate for both kibana and elasticsearch. https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup-https.html#encrypt-kibana-http
https://www.elastic.co/guide/en/kibana/current/settings.html
These are used by Kibana to authenticate itself when making outbound SSL/TLS connections to Elasticsearch.
Also please check the similar question here.