Select Page

Akeneo: Requiring an SSL Connection with Elasticsearch using Apache

March 5, 2021

Using XPack? Visit the companion article here!

OVERVIEW

Akeneo PIM is a PHP/Symfony web application that uses MySQL for persistence, and Elasticsearch for search capability. From an abstract perspective it consists of three major components:

  • · MySQL, a relational database for storing data
  • · Elasticsearch, a search engine for indexing
  • · PHP/Symfony backend served by Apache2

Accordingly, you may find yourself in the position of hosting Elasticsearch on a different machine from PHP/Symfony+Apache2; either a host you maintain for Elasticsearch, or a Elasticsearch service in the cloud. Once you move the search engine portion of the application to an external host, you’ll need to secure it with SSL.

In a typical Akeneo Community installation, all three components of the application are installed on the same machine. Elasticsearch in this setting does not use authentication, nor does it use encryption over http. Why would it, it’s on the same machine? But when Elasticsearch is installed on another machine, you must enable authentication and encryption.

Elasticsearch authentication, in this article, will be configured as basic authentication, that is, using a username and password. Elasticsearch encryption, using SSL. Since we are using the Akeneo Community Edition, both authentication and encryption will be accomplished by proxing Elasticsearch through Apache.

On our new Elasticsearch host (Ubuntu 20 LTS server), we’ll start by installing Elasticsearch. Next, we’ll install Apache and configure it so Elasticsearch so it accessible to the external network. Then configure it for SSL, and finally set up basic authentication.

On our Akeneo PIM host (Ubuntu 20 LTS server), we’ll patch ca-certificates, if required. Configure Akeneo for SSL, and finally rebuild our indexes on the new external Elasticsearch host.

So, follow along as I explain each step of the process of requiring and verifying SSL.

ON THE ELASTICSEARCH HOST

Install Elasticsearch

I’m going to start this process with the assumption that you have a new Ubuntu 20 LTS Server that you are going to install Elasticsearch on. In my case, I’m going to use a Raspberry Pi 4, so the hostnames will reflect this decision.

~$ # Rather than type sudo over and over, I like to become the root user by doing:

~$ sudo -u root -i

Now, the rest of the commands I execute will be as the root user, thus prefixed with #, until I exit.

I’m going to install Elasticsearch by following the Elasticsearch portion of Akeneo’s System installation on Ubuntu 18.04 (Bionic Beaver) (https://docs.akeneo.com/latest/install_pim/manual/system_requirements/system_install_ubuntu_1804.html).

~# # Let's start by installing apt-transport-https:

~# apt-get install apt-transport-https -y

~# # Next, add the elasticsearch gpg-key to apt:

~# wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
OK

~# # Now, add the elasticsearch repository to apt:

~# echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-7.x.list
deb https://artifacts.elastic.co/packages/7.x/apt stable main

~# # With the additional configuration in place, let's update apt:

~# apt update
Get:1 https://artifacts.elastic.co/packages/7.x/apt stable InRelease [10.4 kB]
Hit:2 http://ports.ubuntu.com/ubuntu-ports focal InRelease
Hit:3 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease
Hit:4 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease
Get:5 https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages [25.8 kB]
Hit:6 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease
Fetched 36.2 kB in 2s (17.9 kB/s)                      
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.

~# # The instructions say to use Elasticsearch 7.5. Let's see if that is available: 

~# apt-cache madison elasticsearch
elasticsearch |     7.11.1 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch |     7.11.0 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch |     7.10.2 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch |     7.10.1 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch |     7.10.0 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch |      7.9.3 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch |      7.9.2 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch |      7.9.1 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch |      7.9.0 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch |      7.8.1 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch |      7.8.0 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch |      7.7.1 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch |      7.7.0 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages

~# # Hmm. It's not available.
~# # I've used version 7.8.1 with Akeneo 4 successfully before, so I'll I use it here.

~# apt-get install elasticsearch=7.8.1
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  elasticsearch
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 315 MB of archives.
After this operation, 528 MB of additional disk space will be used.
Get:1 https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 elasticsearch arm64 7.8.1 [315 MB]
Fetched 315 MB in 30s (10.5 MB/s)                                                                  
Selecting previously unselected package elasticsearch.
(Reading database ... 66801 files and directories currently installed.)
Preparing to unpack .../elasticsearch_7.8.1_arm64.deb ...
Unpacking elasticsearch (7.8.1) ...
Setting up elasticsearch (7.8.1) ...
Created elasticsearch keystore in /etc/elasticsearch/elasticsearch.keystore
Processing triggers for systemd (245.4-4ubuntu3.4) ...

~# # Now that it's installed, let's start elasticsearch: 

~# service elasticsearch start

~# # Let's verify vm.max_map_count  

~# sysctl -n vm.max_map_count
262144

~# # GOOD!
~# # Let's make sure it's up and running with its default configuration: 

~# curl http://localhost:9200
{
  "name" : "rpi4-4g-elasticsearch",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "ubshELm_TfShUFLFWO9Kpg",
  "version" : {
    "number" : "7.8.1",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "b5ca9c58fb664ca8bf9e4057fc229b3396bf3a89",
    "build_date" : "2020-07-21T16:40:44.668009Z",
    "build_snapshot" : false,
    "lucene_version" : "8.5.1",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

Now that Elasticsearch is installed and running, let’s configure it to start automatically on the host’ startup or reboot.

Enable Startup on Boot

~# # First, let's create a systemd configuration directory for Elasticsearch:

~# mkdir -p /etc/systemd/system/elasticsearch.service.d

~# # Next, we'll add a configuration file:

~# echo -e "[Service]\nTimeoutStartSec=60" | sudo tee /etc/systemd/system/elasticsearch.service.d/startup-timeout.conf
[Service]
TimeoutStartSec=60

~# # Now, let's reload the daemon 

~# systemctl daemon-reload

~# # And finally, enable Elasticsearch

~# systemctl enable elasticsearch
Synchronizing state of elasticsearch.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable elasticsearch
Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /lib/systemd/system/elasticsearch.service.

~# systemctl daemon-reload

At this point, any time you startup or reboot the host, Elasticsearch will automatically start too. By default, Elasticsearch is only configured to be accessible on localhost (127.0.0.1). So, let’s proxy it through Apache so it’s accessible to any external network.

Enable External Network Access, Authentication, and Encryption

~# # Let's install Apache2 so we can proxy Elasticsearch through it.
~# # First, let's generate an SSL certificate:

~# cd /etc/ssl

/etc/ssl# # We need a certificate for: rpi4-2g-elasticsearch.donaldbales.com

/etc/ssl# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout rpi4-2g-elasticsearch.donaldbales.com.key -out rpi4-2g-elasticsearch.donaldbales.com.crt
Generating a RSA private key
.............+++++
..............................+++++
writing new private key to 'rpi4-2g-elasticsearch.donaldbales.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Arizona
Locality Name (eg, city) []:Sedona
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Donald Bales
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:rpi4-2g-elasticsearch.donaldbales.com
Email Address []:[email protected]

/etc/ssl# # Now let's make a pem:

/etc/ssl# openssl x509 -inform PEM -in rpi4-2g-elasticsearch.donaldbales.com.crt -text -out rpi4-2g-elasticsearch.donaldbales.com.pem

/etc/ssl#  ls -lap
total 52
drwxr-xr-x  4 root root      4096 Mar  3 16:24 ./
drwxr-xr-x 99 root root      4096 Mar  3 16:20 ../
drwxr-xr-x  2 root root     12288 Feb 26 16:06 certs/
-rw-r--r--  1 root root     10909 Apr 20  2020 openssl.cnf
drwx--x---  2 root ssl-cert  4096 Feb 26 16:06 private/
-rw-r--r--  1 root root      1480 Mar  3 16:24 rpi4-2g-elasticsearch.donaldbales.com.crt
-rw-------  1 root root      1704 Mar  3 16:23 rpi4-2g-elasticsearch.donaldbales.com.key
-rw-r--r--  1 root root      4738 Mar  3 16:24 rpi4-2g-elasticsearch.donaldbales.com.pem

/etc/ssl# # The last certificate section in out new pem is the self-signed certificate authority (CA) certificate
/etc/ssl# # Let's tail it so we have the certificate for later when we configure the PIM host:

/etc/ssl# tail -n 24 /etc/ssl/rpi4-2g-elasticsearch.donaldbales.com.pem
-----BEGIN CERTIFICATE-----
MIIEGTCCAwGgAwIBAgIUan19f7GjSEAYG7fs9VPtVdpZRPUwDQYJKoZIhvcNAQEL
BQAwgZsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdBcml6b25hMQ8wDQYDVQQHDAZT
ZWRvbmExFTATBgNVBAoMDERvbmFsZCBCYWxlczEuMCwGA1UEAwwlcnBpNC0yZy1l
bGFzdGljc2VhcmNoLmRvbmFsZGJhbGVzLmNvbTEiMCAGCSqGSIb3DQEJARYTZG9u
QGRvbmFsZGJhbGVzLmNvbTAeFw0yMTAzMDMxNjI0MjBaFw0zMTAzMDExNjI0MjBa
MIGbMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHQXJpem9uYTEPMA0GA1UEBwwGU2Vk
b25hMRUwEwYDVQQKDAxEb25hbGQgQmFsZXMxLjAsBgNVBAMMJXJwaTQtMmctZWxh
c3RpY3NlYXJjaC5kb25hbGRiYWxlcy5jb20xIjAgBgkqhkiG9w0BCQEWE2RvbkBk
b25hbGRiYWxlcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCe
Dil2puDW5qbeJjfpmooRzyXf1JnQhM7B79XHk4FSIikQFxwd5r5rAsRljOCvS998
1kL0fj+qvJ9Y6TYVjdewfhx6j9VWHwQpnKno0xTAyoaB7e+XgjGWiOCOXSc2EyGM
4PEgUy+HLjD5DEM7MYscRruQcWiWKulaaCNmHw7nESrzQqUQj6V5B8EJInjFb9x4
BE3QcH5Q4sHinYmIPtE9+lCYlV39EgEWH26tp/4/G6ywRS0mcArocmmKuIoDQ8As
CmpmT8vF44ALMoQjQlMfcJy32kTSMCq1rgmXhKH1cw5MjzNZ+iK5FICYAlkDM5sb
sCssl+6qGeVj0xfStDmVAgMBAAGjUzBRMB0GA1UdDgQWBBQ+Zu2j8ADytgwnbn2f
jsuFb2V5dDAfBgNVHSMEGDAWgBQ+Zu2j8ADytgwnbn2fjsuFb2V5dDAPBgNVHRMB
Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBUO1W2Usr+l+4pZYc3eFeYDmVg
AzTrRzBA3OPHZmfBP4nV9JucjW//IM5hXEpkHyEHaAO/JKVuvDpWnT1shyEKB7Qm
r5ImGwgAMOl25xv1ChYFqYNZ91s3+IA01e1GyD3fpu00ezo3/3Oq5fMxtjdLSkCE
s/7dC1OdpEa0CXNaOg49fhlTnAKnlhaKevziROhSDOwtdeVikubnXwu1GILW87JK
EKskb+othmuQYr0fhzoHLDKXcPo/S+jGBn/BuZ+qMQoey5BeEKjbRNMmZ8xqcwoG
l7SrSrCVR6y1eP1en70GSKB0m3whDlxWo4lMkfvHibHTwDgnWsAkLcBkTxJS
-----END CERTIFICATE-----

/etc/ssl# # Now that we have our certificate, we can install and configure Apache2 as proxy

/etc/ssl# cd ~

~# apt-get install apache2
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Suggested packages:
  apache2-doc apache2-suexec-pristine | apache2-suexec-custom www-browser
The following NEW packages will be installed:
  apache2
0 upgraded, 1 newly installed, 0 to remove and 6 not upgraded.
Need to get 0 B/95.5 kB of archives.
After this operation, 541 kB of additional disk space will be used.
Selecting previously unselected package apache2.
(Reading database ... 101450 files and directories currently installed.)
Preparing to unpack .../apache2_2.4.41-4ubuntu3.1_arm64.deb ...
Unpacking apache2 (2.4.41-4ubuntu3.1) ...
Setting up apache2 (2.4.41-4ubuntu3.1) ...
Processing triggers for systemd (245.4-4ubuntu3.4) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for ufw (0.36-6) ...

~# # Now we need to enable modules mod_proxy and proxy_http:

~# a2enmod proxy
Enabling module proxy.
To activate the new configuration, you need to run:
  systemctl restart apache2

~# a2enmod proxy_http
Considering dependency proxy for proxy_http:
Module proxy already enabled
Enabling module proxy_http.
To activate the new configuration, you need to run:
  systemctl restart apache2

~# # Verify they are enabled:

~# ls -lap /etc/apache2/mods-enabled/
total 8
drwxr-xr-x 2 root root 4096 Mar  3 16:37 ./
drwxr-xr-x 8 root root 4096 Mar  3 16:34 ../
lrwxrwxrwx 1 root root   36 Feb 26 16:06 access_compat.load -> ../mods-available/access_compat.load
lrwxrwxrwx 1 root root   28 Feb 26 16:06 alias.conf -> ../mods-available/alias.conf
lrwxrwxrwx 1 root root   28 Feb 26 16:06 alias.load -> ../mods-available/alias.load
lrwxrwxrwx 1 root root   33 Feb 26 16:06 auth_basic.load -> ../mods-available/auth_basic.load
lrwxrwxrwx 1 root root   33 Feb 26 16:06 authn_core.load -> ../mods-available/authn_core.load
lrwxrwxrwx 1 root root   33 Feb 26 16:06 authn_file.load -> ../mods-available/authn_file.load
lrwxrwxrwx 1 root root   33 Feb 26 16:06 authz_core.load -> ../mods-available/authz_core.load
lrwxrwxrwx 1 root root   33 Feb 26 16:06 authz_host.load -> ../mods-available/authz_host.load
lrwxrwxrwx 1 root root   33 Feb 26 16:06 authz_user.load -> ../mods-available/authz_user.load
lrwxrwxrwx 1 root root   32 Feb 26 16:06 autoindex.conf -> ../mods-available/autoindex.conf
lrwxrwxrwx 1 root root   32 Feb 26 16:06 autoindex.load -> ../mods-available/autoindex.load
lrwxrwxrwx 1 root root   30 Feb 26 16:06 deflate.conf -> ../mods-available/deflate.conf
lrwxrwxrwx 1 root root   30 Feb 26 16:06 deflate.load -> ../mods-available/deflate.load
lrwxrwxrwx 1 root root   26 Feb 26 16:06 dir.conf -> ../mods-available/dir.conf
lrwxrwxrwx 1 root root   26 Feb 26 16:06 dir.load -> ../mods-available/dir.load
lrwxrwxrwx 1 root root   26 Feb 26 16:06 env.load -> ../mods-available/env.load
lrwxrwxrwx 1 root root   29 Feb 26 16:06 filter.load -> ../mods-available/filter.load
lrwxrwxrwx 1 root root   27 Feb 26 16:06 mime.conf -> ../mods-available/mime.conf
lrwxrwxrwx 1 root root   27 Feb 26 16:06 mime.load -> ../mods-available/mime.load
lrwxrwxrwx 1 root root   32 Feb 26 16:06 mpm_event.conf -> ../mods-available/mpm_event.conf
lrwxrwxrwx 1 root root   32 Feb 26 16:06 mpm_event.load -> ../mods-available/mpm_event.load
lrwxrwxrwx 1 root root   34 Feb 26 16:06 negotiation.conf -> ../mods-available/negotiation.conf
lrwxrwxrwx 1 root root   34 Feb 26 16:06 negotiation.load -> ../mods-available/negotiation.load
lrwxrwxrwx 1 root root   28 Mar  3 16:36 proxy.conf -> ../mods-available/proxy.conf
lrwxrwxrwx 1 root root   28 Mar  3 16:36 proxy.load -> ../mods-available/proxy.load
lrwxrwxrwx 1 root root   33 Mar  3 16:37 proxy_http.load -> ../mods-available/proxy_http.load
lrwxrwxrwx 1 root root   33 Feb 26 16:06 reqtimeout.conf -> ../mods-available/reqtimeout.conf
lrwxrwxrwx 1 root root   33 Feb 26 16:06 reqtimeout.load -> ../mods-available/reqtimeout.load
lrwxrwxrwx 1 root root   31 Feb 26 16:06 setenvif.conf -> ../mods-available/setenvif.conf
lrwxrwxrwx 1 root root   31 Feb 26 16:06 setenvif.load -> ../mods-available/setenvif.load
lrwxrwxrwx 1 root root   36 Feb 26 16:25 socache_shmcb.load -> ../mods-available/socache_shmcb.load
lrwxrwxrwx 1 root root   26 Feb 26 16:25 ssl.conf -> ../mods-available/ssl.conf
lrwxrwxrwx 1 root root   26 Feb 26 16:25 ssl.load -> ../mods-available/ssl.load
lrwxrwxrwx 1 root root   29 Feb 26 16:06 status.conf -> ../mods-available/status.conf
lrwxrwxrwx 1 root root   29 Feb 26 16:06 status.load -> ../mods-available/status.load

~# # Next, let's create a password file:

~# htpasswd -c /etc/apache2/.htpasswd akeneo_pimce
New password: akeneo_pimce
Re-type new password: akeneo_pimce
Adding password for user akeneo_pimce

~# # Now, let's create a site configuration that proxies Elasticsearch, enables SSL and uses basic authentication:

~# vim /etc/apache2/sites-available/rpi4-2g-elasticsearch.donaldbales.com.conf

~# cat /etc/apache2/sites-available/rpi4-2g-elasticsearch.donaldbales.com.conf
# Listen 443

<VirtualHost *:443>
    ServerName rpi4-2g-elasticsearch.donaldbales.com

    SSLEngine on
    SSLCertificateFile /etc/ssl/rpi4-2g-elasticsearch.donaldbales.com.crt
    SSLCertificateKeyFile /etc/ssl/rpi4-2g-elasticsearch.donaldbales.com.key

    ProxyPass "/" "http://localhost:9200/"
    ProxyPassReverse "/" "http://localhost:9200/"

    <Proxy *>
  Order deny,allow
        Allow from all
        
        AuthType Basic
        AuthName "Authentication Required"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
    </Proxy>
</VirtualHost>

~# # And now, enable the site:

~# a2ensite rpi4-2g-elasticsearch.donaldbales.com
Enabling site rpi4-2g-elasticsearch.donaldbales.com.
To activate the new configuration, you need to run:
  systemctl reload apache2

~# # Finally, restart apache:

~# systemctl reload apache2

~# # Let's test the new site:

~# curl -k -u akeneo_pimce:akeneo_pimce https://rpi4-2g-elasticsearch.donaldbales.com
{
  "name" : "rpi4-2g-elasticsearch",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "4rcDGpkYQqKIXTYZUQufIw",
  "version" : {
    "number" : "7.8.1",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "b5ca9c58fb664ca8bf9e4057fc229b3396bf3a89",
    "build_date" : "2020-07-21T16:40:44.668009Z",
    "build_snapshot" : false,
    "lucene_version" : "8.5.1",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}
~# # Yes! It works!

At this point, we’ve installed Elasticsearch on its own host, proxied it through Apache so it’s accessible to outside networks, uses SSL, and basic authentication. Now it is secured. It’s time for us to move onto the Akeneo PIM work.

ON THE AKENEO PIM WEB HOST

Hacking the CA Certificates File

Since I used a self-signed certificate, Akeneo will not recognize Elasticsearch host as secured. So to work-around this issue, we’re going to add our self-signed certificate to the CA certificates on our PIM host.

~/pim-community-standard$ # Let's add the Apache2 cert to our CA certificates directory:

~/pim-community-standard$ sudo -u root -i

~# cd /etc/ssl

/etc/ssl# ls -lap
total 32
drwxr-xr-x   4 root root      4096 Feb 25 16:37 ./
drwxr-xr-x 109 root root      4096 Feb 26 18:46 ../
drwxr-xr-x   2 root root      8192 Feb 25 16:40 certs/
-rw-r--r--   1 root root     10909 Apr 20  2020 openssl.cnf
drwx--x---   2 root ssl-cert  4096 Aug  5  2020 private/

/etc/ssl# cd certs

/etc/ssl/certs# # Let's create our pem file on the PIM host.
/etc/ssl/certs# # We'll open a new file with vim, and paste our certifcate from above into the file: 

/etc/ssl/certs# vim rpi4-2g-elasticsearch.donaldbales.com.pem 

/etc/ssl/certs# cat rpi4-2g-elasticsearch.donaldbales.com.pem 
-----BEGIN CERTIFICATE-----
MIIEGTCCAwGgAwIBAgIUan19f7GjSEAYG7fs9VPtVdpZRPUwDQYJKoZIhvcNAQEL
BQAwgZsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdBcml6b25hMQ8wDQYDVQQHDAZT
ZWRvbmExFTATBgNVBAoMDERvbmFsZCBCYWxlczEuMCwGA1UEAwwlcnBpNC0yZy1l
bGFzdGljc2VhcmNoLmRvbmFsZGJhbGVzLmNvbTEiMCAGCSqGSIb3DQEJARYTZG9u
QGRvbmFsZGJhbGVzLmNvbTAeFw0yMTAzMDMxNjI0MjBaFw0zMTAzMDExNjI0MjBa
MIGbMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHQXJpem9uYTEPMA0GA1UEBwwGU2Vk
b25hMRUwEwYDVQQKDAxEb25hbGQgQmFsZXMxLjAsBgNVBAMMJXJwaTQtMmctZWxh
c3RpY3NlYXJjaC5kb25hbGRiYWxlcy5jb20xIjAgBgkqhkiG9w0BCQEWE2RvbkBk
b25hbGRiYWxlcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCe
Dil2puDW5qbeJjfpmooRzyXf1JnQhM7B79XHk4FSIikQFxwd5r5rAsRljOCvS998
1kL0fj+qvJ9Y6TYVjdewfhx6j9VWHwQpnKno0xTAyoaB7e+XgjGWiOCOXSc2EyGM
4PEgUy+HLjD5DEM7MYscRruQcWiWKulaaCNmHw7nESrzQqUQj6V5B8EJInjFb9x4
BE3QcH5Q4sHinYmIPtE9+lCYlV39EgEWH26tp/4/G6ywRS0mcArocmmKuIoDQ8As
CmpmT8vF44ALMoQjQlMfcJy32kTSMCq1rgmXhKH1cw5MjzNZ+iK5FICYAlkDM5sb
sCssl+6qGeVj0xfStDmVAgMBAAGjUzBRMB0GA1UdDgQWBBQ+Zu2j8ADytgwnbn2f
jsuFb2V5dDAfBgNVHSMEGDAWgBQ+Zu2j8ADytgwnbn2fjsuFb2V5dDAPBgNVHRMB
Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBUO1W2Usr+l+4pZYc3eFeYDmVg
AzTrRzBA3OPHZmfBP4nV9JucjW//IM5hXEpkHyEHaAO/JKVuvDpWnT1shyEKB7Qm
r5ImGwgAMOl25xv1ChYFqYNZ91s3+IA01e1GyD3fpu00ezo3/3Oq5fMxtjdLSkCE
s/7dC1OdpEa0CXNaOg49fhlTnAKnlhaKevziROhSDOwtdeVikubnXwu1GILW87JK
EKskb+othmuQYr0fhzoHLDKXcPo/S+jGBn/BuZ+qMQoey5BeEKjbRNMmZ8xqcwoG
l7SrSrCVR6y1eP1en70GSKB0m3whDlxWo4lMkfvHibHTwDgnWsAkLcBkTxJS
-----END CERTIFICATE-----

/etc/ssl/certs# # Next, we'll edit the file: ca-certificates.crt appending our CA cert to the long list of other CA verts:

/etc/ssl/certs# vim ca-certificates.crt

/etc/ssl/certs# tail -n 25 ca-certificates.crt
-----BEGIN CERTIFICATE-----
MIIEGTCCAwGgAwIBAgIUan19f7GjSEAYG7fs9VPtVdpZRPUwDQYJKoZIhvcNAQEL
BQAwgZsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdBcml6b25hMQ8wDQYDVQQHDAZT
ZWRvbmExFTATBgNVBAoMDERvbmFsZCBCYWxlczEuMCwGA1UEAwwlcnBpNC0yZy1l
bGFzdGljc2VhcmNoLmRvbmFsZGJhbGVzLmNvbTEiMCAGCSqGSIb3DQEJARYTZG9u
QGRvbmFsZGJhbGVzLmNvbTAeFw0yMTAzMDMxNjI0MjBaFw0zMTAzMDExNjI0MjBa
MIGbMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHQXJpem9uYTEPMA0GA1UEBwwGU2Vk
b25hMRUwEwYDVQQKDAxEb25hbGQgQmFsZXMxLjAsBgNVBAMMJXJwaTQtMmctZWxh
c3RpY3NlYXJjaC5kb25hbGRiYWxlcy5jb20xIjAgBgkqhkiG9w0BCQEWE2RvbkBk
b25hbGRiYWxlcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCe
Dil2puDW5qbeJjfpmooRzyXf1JnQhM7B79XHk4FSIikQFxwd5r5rAsRljOCvS998
1kL0fj+qvJ9Y6TYVjdewfhx6j9VWHwQpnKno0xTAyoaB7e+XgjGWiOCOXSc2EyGM
4PEgUy+HLjD5DEM7MYscRruQcWiWKulaaCNmHw7nESrzQqUQj6V5B8EJInjFb9x4
BE3QcH5Q4sHinYmIPtE9+lCYlV39EgEWH26tp/4/G6ywRS0mcArocmmKuIoDQ8As
CmpmT8vF44ALMoQjQlMfcJy32kTSMCq1rgmXhKH1cw5MjzNZ+iK5FICYAlkDM5sb
sCssl+6qGeVj0xfStDmVAgMBAAGjUzBRMB0GA1UdDgQWBBQ+Zu2j8ADytgwnbn2f
jsuFb2V5dDAfBgNVHSMEGDAWgBQ+Zu2j8ADytgwnbn2fjsuFb2V5dDAPBgNVHRMB
Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBUO1W2Usr+l+4pZYc3eFeYDmVg
AzTrRzBA3OPHZmfBP4nV9JucjW//IM5hXEpkHyEHaAO/JKVuvDpWnT1shyEKB7Qm
r5ImGwgAMOl25xv1ChYFqYNZ91s3+IA01e1GyD3fpu00ezo3/3Oq5fMxtjdLSkCE
s/7dC1OdpEa0CXNaOg49fhlTnAKnlhaKevziROhSDOwtdeVikubnXwu1GILW87JK
EKskb+othmuQYr0fhzoHLDKXcPo/S+jGBn/BuZ+qMQoey5BeEKjbRNMmZ8xqcwoG
l7SrSrCVR6y1eP1en70GSKB0m3whDlxWo4lMkfvHibHTwDgnWsAkLcBkTxJS
-----END CERTIFICATE-----

/etc/ssl/certs# exit
logout

Configure Akeneo

Now that our self-signed CA certificate is added, we can change the PIM configuration.

~$ # Next, let's edit our PIM's .env file, setting the new location URL for our Elasticsearch host:

~$ cd pim-community-standard/

~/pim-community-standard$ vim .env
~/pim-community-standard$ cat .env
APP_ENV=prod
APP_DEBUG=0
APP_DATABASE_HOST=localhost
APP_DATABASE_PORT=null
APP_DATABASE_NAME=akeneo_pimce
APP_DATABASE_USER=akeneo_pimce
APP_DATABASE_PASSWORD=akeneo_pimce
APP_DEFAULT_LOCALE=en
APP_SECRET=ThisTokenIsNotSoSecretChangeIt
APP_INDEX_HOSTS=https://akeneo_pimce:[email protected]:443
APP_PRODUCT_AND_PRODUCT_MODEL_INDEX_NAME=akeneo_pim_product_and_product_model_pimce
MAILER_URL=null://localhost
AKENEO_PIM_URL=http://localhost:8080
APP_ELASTICSEARCH_TOTAL_FIELDS_LIMIT=10000

NOTE:

Our new Elasticsearch host URL:

https://akeneo_pimce:[email protected]:443

specifies the:

  • · The protocol as: https (SSL)
  • · The username and password as: akeneo_pimce:akeneo_pimce
  • · The host name and port as: rpi4-2g-elasticsearch.donaldbales.com:443

It must specify the port, or Akeneo cannot understand the connection here.

~/pim-community-standard$ # Let's test our connection to our new Elasticsearch host:

~/pim-community-standard$ curl -u akeneo_pimce:akeneo_pimce https://rpi4-2g-elasticsearch.donaldbales.com
{
  "name" : "rpi4-2g-elasticsearch",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "4rcDGpkYQqKIXTYZUQufIw",
  "version" : {
    "number" : "7.8.1",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "b5ca9c58fb664ca8bf9e4057fc229b3396bf3a89",
    "build_date" : "2020-07-21T16:40:44.668009Z",
    "build_snapshot" : false,
    "lucene_version" : "8.5.1",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

~/pim-community-standard$ # That works. So let's try resetting the elasticsearch indexes:

~/pim-community-standard$ bin/console akeneo:elasticsearch:reset-indexes  -n
This action will entirely reset the following indexes in the PIM:
akeneo_pim_product_and_product_model_pimce
Resetting the index: akeneo_pim_product_and_product_model_pimce

All the indexes have been successfully reset!

You can now use the command pim:product:index and pim:product-model:index to start re-indexing your product and product models.

~/pim-community-standard$ bin/console pim:product-model:index --all -n
    0 [->--------------------------]
0 product models indexed

~/pim-community-standard$ bin/console pim:product:index --all -n
    0 [->--------------------------]
0 products indexed

~/pim-enterprise-standard$ # Now we can restart the php fpm services, and test our Akeneo PIM through a browser.

~/pim-enterprise-standard$ sudo service php7.3-fpm restart

Now you know how to configure your Akeneo PIM to use SSL with Elasticsearch using Apache.

Good skill!

You May Also Like…

Case Study: Giant Tiger

Case Study: Giant Tiger

When we first engaged with Giant Tiger, we discovered their efficiency was being hindered by siloed teams, manual...