Using XPack? Visit the companion article here!
OVERVIEW
Akeneo PIM is a PHP/Symfony web application that uses MySQL for persistence, and Elasticsearch for search capability. From an abstract perspective it consists of three major components:
- · MySQL, a relational database for storing data
- · Elasticsearch, a search engine for indexing
- · PHP/Symfony backend served by Apache2
Accordingly, you may find yourself in the position of hosting Elasticsearch on a different machine from PHP/Symfony+Apache2; either a host you maintain for Elasticsearch, or a Elasticsearch service in the cloud. Once you move the search engine portion of the application to an external host, you’ll need to secure it with SSL.
In a typical Akeneo Community installation, all three components of the application are installed on the same machine. Elasticsearch in this setting does not use authentication, nor does it use encryption over http. Why would it, it’s on the same machine? But when Elasticsearch is installed on another machine, you must enable authentication and encryption.
Elasticsearch authentication, in this article, will be configured as basic authentication, that is, using a username and password. Elasticsearch encryption, using SSL. Since we are using the Akeneo Community Edition, both authentication and encryption will be accomplished by proxing Elasticsearch through Apache.
On our new Elasticsearch host (Ubuntu 20 LTS server), we’ll start by installing Elasticsearch. Next, we’ll install Apache and configure it so Elasticsearch so it accessible to the external network. Then configure it for SSL, and finally set up basic authentication.
On our Akeneo PIM host (Ubuntu 20 LTS server), we’ll patch ca-certificates, if required. Configure Akeneo for SSL, and finally rebuild our indexes on the new external Elasticsearch host.
So, follow along as I explain each step of the process of requiring and verifying SSL.
ON THE ELASTICSEARCH HOST
Install Elasticsearch
I’m going to start this process with the assumption that you have a new Ubuntu 20 LTS Server that you are going to install Elasticsearch on. In my case, I’m going to use a Raspberry Pi 4, so the hostnames will reflect this decision.
~$ # Rather than type sudo over and over, I like to become the root user by doing: ~$ sudo -u root -i
Now, the rest of the commands I execute will be as the root user, thus prefixed with #, until I exit.
I’m going to install Elasticsearch by following the Elasticsearch portion of Akeneo’s System installation on Ubuntu 18.04 (Bionic Beaver) (https://docs.akeneo.com/latest/install_pim/manual/system_requirements/system_install_ubuntu_1804.html).
~# # Let's start by installing apt-transport-https:
~# apt-get install apt-transport-https -y
~# # Next, add the elasticsearch gpg-key to apt:
~# wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
OK
~# # Now, add the elasticsearch repository to apt:
~# echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-7.x.list
deb https://artifacts.elastic.co/packages/7.x/apt stable main
~# # With the additional configuration in place, let's update apt:
~# apt update
Get:1 https://artifacts.elastic.co/packages/7.x/apt stable InRelease [10.4 kB]
Hit:2 http://ports.ubuntu.com/ubuntu-ports focal InRelease
Hit:3 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease
Hit:4 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease
Get:5 https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages [25.8 kB]
Hit:6 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease
Fetched 36.2 kB in 2s (17.9 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
~# # The instructions say to use Elasticsearch 7.5. Let's see if that is available:
~# apt-cache madison elasticsearch
elasticsearch | 7.11.1 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch | 7.11.0 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch | 7.10.2 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch | 7.10.1 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch | 7.10.0 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch | 7.9.3 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch | 7.9.2 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch | 7.9.1 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch | 7.9.0 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch | 7.8.1 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch | 7.8.0 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch | 7.7.1 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
elasticsearch | 7.7.0 | https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 Packages
~# # Hmm. It's not available.
~# # I've used version 7.8.1 with Akeneo 4 successfully before, so I'll I use it here.
~# apt-get install elasticsearch=7.8.1
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
elasticsearch
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 315 MB of archives.
After this operation, 528 MB of additional disk space will be used.
Get:1 https://artifacts.elastic.co/packages/7.x/apt stable/main arm64 elasticsearch arm64 7.8.1 [315 MB]
Fetched 315 MB in 30s (10.5 MB/s)
Selecting previously unselected package elasticsearch.
(Reading database ... 66801 files and directories currently installed.)
Preparing to unpack .../elasticsearch_7.8.1_arm64.deb ...
Unpacking elasticsearch (7.8.1) ...
Setting up elasticsearch (7.8.1) ...
Created elasticsearch keystore in /etc/elasticsearch/elasticsearch.keystore
Processing triggers for systemd (245.4-4ubuntu3.4) ...
~# # Now that it's installed, let's start elasticsearch:
~# service elasticsearch start
~# # Let's verify vm.max_map_count
~# sysctl -n vm.max_map_count
262144
~# # GOOD!
~# # Let's make sure it's up and running with its default configuration:
~# curl http://localhost:9200
{
"name" : "rpi4-4g-elasticsearch",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "ubshELm_TfShUFLFWO9Kpg",
"version" : {
"number" : "7.8.1",
"build_flavor" : "default",
"build_type" : "deb",
"build_hash" : "b5ca9c58fb664ca8bf9e4057fc229b3396bf3a89",
"build_date" : "2020-07-21T16:40:44.668009Z",
"build_snapshot" : false,
"lucene_version" : "8.5.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
Now that Elasticsearch is installed and running, let’s configure it to start automatically on the host’ startup or reboot.
Enable Startup on Boot
~# # First, let's create a systemd configuration directory for Elasticsearch: ~# mkdir -p /etc/systemd/system/elasticsearch.service.d ~# # Next, we'll add a configuration file: ~# echo -e "[Service]\nTimeoutStartSec=60" | sudo tee /etc/systemd/system/elasticsearch.service.d/startup-timeout.conf [Service] TimeoutStartSec=60 ~# # Now, let's reload the daemon ~# systemctl daemon-reload ~# # And finally, enable Elasticsearch ~# systemctl enable elasticsearch Synchronizing state of elasticsearch.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable elasticsearch Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /lib/systemd/system/elasticsearch.service. ~# systemctl daemon-reload
At this point, any time you startup or reboot the host, Elasticsearch will automatically start too. By default, Elasticsearch is only configured to be accessible on localhost (127.0.0.1). So, let’s proxy it through Apache so it’s accessible to any external network.
Enable External Network Access, Authentication, and Encryption
~# # Let's install Apache2 so we can proxy Elasticsearch through it. ~# # First, let's generate an SSL certificate: ~# cd /etc/ssl /etc/ssl# # We need a certificate for: rpi4-2g-elasticsearch.donaldbales.com /etc/ssl# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout rpi4-2g-elasticsearch.donaldbales.com.key -out rpi4-2g-elasticsearch.donaldbales.com.crt Generating a RSA private key .............+++++ ..............................+++++ writing new private key to 'rpi4-2g-elasticsearch.donaldbales.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Arizona Locality Name (eg, city) []:Sedona Organization Name (eg, company) [Internet Widgits Pty Ltd]:Donald Bales Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:rpi4-2g-elasticsearch.donaldbales.com Email Address []:[email protected] /etc/ssl# # Now let's make a pem: /etc/ssl# openssl x509 -inform PEM -in rpi4-2g-elasticsearch.donaldbales.com.crt -text -out rpi4-2g-elasticsearch.donaldbales.com.pem /etc/ssl# ls -lap total 52 drwxr-xr-x 4 root root 4096 Mar 3 16:24 ./ drwxr-xr-x 99 root root 4096 Mar 3 16:20 ../ drwxr-xr-x 2 root root 12288 Feb 26 16:06 certs/ -rw-r--r-- 1 root root 10909 Apr 20 2020 openssl.cnf drwx--x--- 2 root ssl-cert 4096 Feb 26 16:06 private/ -rw-r--r-- 1 root root 1480 Mar 3 16:24 rpi4-2g-elasticsearch.donaldbales.com.crt -rw------- 1 root root 1704 Mar 3 16:23 rpi4-2g-elasticsearch.donaldbales.com.key -rw-r--r-- 1 root root 4738 Mar 3 16:24 rpi4-2g-elasticsearch.donaldbales.com.pem /etc/ssl# # The last certificate section in out new pem is the self-signed certificate authority (CA) certificate /etc/ssl# # Let's tail it so we have the certificate for later when we configure the PIM host: /etc/ssl# tail -n 24 /etc/ssl/rpi4-2g-elasticsearch.donaldbales.com.pem -----BEGIN CERTIFICATE----- MIIEGTCCAwGgAwIBAgIUan19f7GjSEAYG7fs9VPtVdpZRPUwDQYJKoZIhvcNAQEL BQAwgZsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdBcml6b25hMQ8wDQYDVQQHDAZT ZWRvbmExFTATBgNVBAoMDERvbmFsZCBCYWxlczEuMCwGA1UEAwwlcnBpNC0yZy1l bGFzdGljc2VhcmNoLmRvbmFsZGJhbGVzLmNvbTEiMCAGCSqGSIb3DQEJARYTZG9u QGRvbmFsZGJhbGVzLmNvbTAeFw0yMTAzMDMxNjI0MjBaFw0zMTAzMDExNjI0MjBa MIGbMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHQXJpem9uYTEPMA0GA1UEBwwGU2Vk b25hMRUwEwYDVQQKDAxEb25hbGQgQmFsZXMxLjAsBgNVBAMMJXJwaTQtMmctZWxh c3RpY3NlYXJjaC5kb25hbGRiYWxlcy5jb20xIjAgBgkqhkiG9w0BCQEWE2RvbkBk b25hbGRiYWxlcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCe Dil2puDW5qbeJjfpmooRzyXf1JnQhM7B79XHk4FSIikQFxwd5r5rAsRljOCvS998 1kL0fj+qvJ9Y6TYVjdewfhx6j9VWHwQpnKno0xTAyoaB7e+XgjGWiOCOXSc2EyGM 4PEgUy+HLjD5DEM7MYscRruQcWiWKulaaCNmHw7nESrzQqUQj6V5B8EJInjFb9x4 BE3QcH5Q4sHinYmIPtE9+lCYlV39EgEWH26tp/4/G6ywRS0mcArocmmKuIoDQ8As CmpmT8vF44ALMoQjQlMfcJy32kTSMCq1rgmXhKH1cw5MjzNZ+iK5FICYAlkDM5sb sCssl+6qGeVj0xfStDmVAgMBAAGjUzBRMB0GA1UdDgQWBBQ+Zu2j8ADytgwnbn2f jsuFb2V5dDAfBgNVHSMEGDAWgBQ+Zu2j8ADytgwnbn2fjsuFb2V5dDAPBgNVHRMB Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBUO1W2Usr+l+4pZYc3eFeYDmVg AzTrRzBA3OPHZmfBP4nV9JucjW//IM5hXEpkHyEHaAO/JKVuvDpWnT1shyEKB7Qm r5ImGwgAMOl25xv1ChYFqYNZ91s3+IA01e1GyD3fpu00ezo3/3Oq5fMxtjdLSkCE s/7dC1OdpEa0CXNaOg49fhlTnAKnlhaKevziROhSDOwtdeVikubnXwu1GILW87JK EKskb+othmuQYr0fhzoHLDKXcPo/S+jGBn/BuZ+qMQoey5BeEKjbRNMmZ8xqcwoG l7SrSrCVR6y1eP1en70GSKB0m3whDlxWo4lMkfvHibHTwDgnWsAkLcBkTxJS -----END CERTIFICATE----- /etc/ssl# # Now that we have our certificate, we can install and configure Apache2 as proxy /etc/ssl# cd ~ ~# apt-get install apache2 Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: apache2-doc apache2-suexec-pristine | apache2-suexec-custom www-browser The following NEW packages will be installed: apache2 0 upgraded, 1 newly installed, 0 to remove and 6 not upgraded. Need to get 0 B/95.5 kB of archives. After this operation, 541 kB of additional disk space will be used. Selecting previously unselected package apache2. (Reading database ... 101450 files and directories currently installed.) Preparing to unpack .../apache2_2.4.41-4ubuntu3.1_arm64.deb ... Unpacking apache2 (2.4.41-4ubuntu3.1) ... Setting up apache2 (2.4.41-4ubuntu3.1) ... Processing triggers for systemd (245.4-4ubuntu3.4) ... Processing triggers for man-db (2.9.1-1) ... Processing triggers for ufw (0.36-6) ... ~# # Now we need to enable modules mod_proxy and proxy_http: ~# a2enmod proxy Enabling module proxy. To activate the new configuration, you need to run: systemctl restart apache2 ~# a2enmod proxy_http Considering dependency proxy for proxy_http: Module proxy already enabled Enabling module proxy_http. To activate the new configuration, you need to run: systemctl restart apache2 ~# # Verify they are enabled: ~# ls -lap /etc/apache2/mods-enabled/ total 8 drwxr-xr-x 2 root root 4096 Mar 3 16:37 ./ drwxr-xr-x 8 root root 4096 Mar 3 16:34 ../ lrwxrwxrwx 1 root root 36 Feb 26 16:06 access_compat.load -> ../mods-available/access_compat.load lrwxrwxrwx 1 root root 28 Feb 26 16:06 alias.conf -> ../mods-available/alias.conf lrwxrwxrwx 1 root root 28 Feb 26 16:06 alias.load -> ../mods-available/alias.load lrwxrwxrwx 1 root root 33 Feb 26 16:06 auth_basic.load -> ../mods-available/auth_basic.load lrwxrwxrwx 1 root root 33 Feb 26 16:06 authn_core.load -> ../mods-available/authn_core.load lrwxrwxrwx 1 root root 33 Feb 26 16:06 authn_file.load -> ../mods-available/authn_file.load lrwxrwxrwx 1 root root 33 Feb 26 16:06 authz_core.load -> ../mods-available/authz_core.load lrwxrwxrwx 1 root root 33 Feb 26 16:06 authz_host.load -> ../mods-available/authz_host.load lrwxrwxrwx 1 root root 33 Feb 26 16:06 authz_user.load -> ../mods-available/authz_user.load lrwxrwxrwx 1 root root 32 Feb 26 16:06 autoindex.conf -> ../mods-available/autoindex.conf lrwxrwxrwx 1 root root 32 Feb 26 16:06 autoindex.load -> ../mods-available/autoindex.load lrwxrwxrwx 1 root root 30 Feb 26 16:06 deflate.conf -> ../mods-available/deflate.conf lrwxrwxrwx 1 root root 30 Feb 26 16:06 deflate.load -> ../mods-available/deflate.load lrwxrwxrwx 1 root root 26 Feb 26 16:06 dir.conf -> ../mods-available/dir.conf lrwxrwxrwx 1 root root 26 Feb 26 16:06 dir.load -> ../mods-available/dir.load lrwxrwxrwx 1 root root 26 Feb 26 16:06 env.load -> ../mods-available/env.load lrwxrwxrwx 1 root root 29 Feb 26 16:06 filter.load -> ../mods-available/filter.load lrwxrwxrwx 1 root root 27 Feb 26 16:06 mime.conf -> ../mods-available/mime.conf lrwxrwxrwx 1 root root 27 Feb 26 16:06 mime.load -> ../mods-available/mime.load lrwxrwxrwx 1 root root 32 Feb 26 16:06 mpm_event.conf -> ../mods-available/mpm_event.conf lrwxrwxrwx 1 root root 32 Feb 26 16:06 mpm_event.load -> ../mods-available/mpm_event.load lrwxrwxrwx 1 root root 34 Feb 26 16:06 negotiation.conf -> ../mods-available/negotiation.conf lrwxrwxrwx 1 root root 34 Feb 26 16:06 negotiation.load -> ../mods-available/negotiation.load lrwxrwxrwx 1 root root 28 Mar 3 16:36 proxy.conf -> ../mods-available/proxy.conf lrwxrwxrwx 1 root root 28 Mar 3 16:36 proxy.load -> ../mods-available/proxy.load lrwxrwxrwx 1 root root 33 Mar 3 16:37 proxy_http.load -> ../mods-available/proxy_http.load lrwxrwxrwx 1 root root 33 Feb 26 16:06 reqtimeout.conf -> ../mods-available/reqtimeout.conf lrwxrwxrwx 1 root root 33 Feb 26 16:06 reqtimeout.load -> ../mods-available/reqtimeout.load lrwxrwxrwx 1 root root 31 Feb 26 16:06 setenvif.conf -> ../mods-available/setenvif.conf lrwxrwxrwx 1 root root 31 Feb 26 16:06 setenvif.load -> ../mods-available/setenvif.load lrwxrwxrwx 1 root root 36 Feb 26 16:25 socache_shmcb.load -> ../mods-available/socache_shmcb.load lrwxrwxrwx 1 root root 26 Feb 26 16:25 ssl.conf -> ../mods-available/ssl.conf lrwxrwxrwx 1 root root 26 Feb 26 16:25 ssl.load -> ../mods-available/ssl.load lrwxrwxrwx 1 root root 29 Feb 26 16:06 status.conf -> ../mods-available/status.conf lrwxrwxrwx 1 root root 29 Feb 26 16:06 status.load -> ../mods-available/status.load ~# # Next, let's create a password file: ~# htpasswd -c /etc/apache2/.htpasswd akeneo_pimce New password: akeneo_pimce Re-type new password: akeneo_pimce Adding password for user akeneo_pimce ~# # Now, let's create a site configuration that proxies Elasticsearch, enables SSL and uses basic authentication: ~# vim /etc/apache2/sites-available/rpi4-2g-elasticsearch.donaldbales.com.conf ~# cat /etc/apache2/sites-available/rpi4-2g-elasticsearch.donaldbales.com.conf # Listen 443 <VirtualHost *:443> ServerName rpi4-2g-elasticsearch.donaldbales.com SSLEngine on SSLCertificateFile /etc/ssl/rpi4-2g-elasticsearch.donaldbales.com.crt SSLCertificateKeyFile /etc/ssl/rpi4-2g-elasticsearch.donaldbales.com.key ProxyPass "/" "http://localhost:9200/" ProxyPassReverse "/" "http://localhost:9200/" <Proxy *> Order deny,allow Allow from all AuthType Basic AuthName "Authentication Required" AuthUserFile /etc/apache2/.htpasswd Require valid-user </Proxy> </VirtualHost> ~# # And now, enable the site: ~# a2ensite rpi4-2g-elasticsearch.donaldbales.com Enabling site rpi4-2g-elasticsearch.donaldbales.com. To activate the new configuration, you need to run: systemctl reload apache2 ~# # Finally, restart apache: ~# systemctl reload apache2 ~# # Let's test the new site: ~# curl -k -u akeneo_pimce:akeneo_pimce https://rpi4-2g-elasticsearch.donaldbales.com { "name" : "rpi4-2g-elasticsearch", "cluster_name" : "elasticsearch", "cluster_uuid" : "4rcDGpkYQqKIXTYZUQufIw", "version" : { "number" : "7.8.1", "build_flavor" : "default", "build_type" : "deb", "build_hash" : "b5ca9c58fb664ca8bf9e4057fc229b3396bf3a89", "build_date" : "2020-07-21T16:40:44.668009Z", "build_snapshot" : false, "lucene_version" : "8.5.1", "minimum_wire_compatibility_version" : "6.8.0", "minimum_index_compatibility_version" : "6.0.0-beta1" }, "tagline" : "You Know, for Search" } ~# # Yes! It works!
At this point, we’ve installed Elasticsearch on its own host, proxied it through Apache so it’s accessible to outside networks, uses SSL, and basic authentication. Now it is secured. It’s time for us to move onto the Akeneo PIM work.
ON THE AKENEO PIM WEB HOST
Hacking the CA Certificates File
Since I used a self-signed certificate, Akeneo will not recognize Elasticsearch host as secured. So to work-around this issue, we’re going to add our self-signed certificate to the CA certificates on our PIM host.
~/pim-community-standard$ # Let's add the Apache2 cert to our CA certificates directory: ~/pim-community-standard$ sudo -u root -i ~# cd /etc/ssl /etc/ssl# ls -lap total 32 drwxr-xr-x 4 root root 4096 Feb 25 16:37 ./ drwxr-xr-x 109 root root 4096 Feb 26 18:46 ../ drwxr-xr-x 2 root root 8192 Feb 25 16:40 certs/ -rw-r--r-- 1 root root 10909 Apr 20 2020 openssl.cnf drwx--x--- 2 root ssl-cert 4096 Aug 5 2020 private/ /etc/ssl# cd certs /etc/ssl/certs# # Let's create our pem file on the PIM host. /etc/ssl/certs# # We'll open a new file with vim, and paste our certifcate from above into the file: /etc/ssl/certs# vim rpi4-2g-elasticsearch.donaldbales.com.pem /etc/ssl/certs# cat rpi4-2g-elasticsearch.donaldbales.com.pem -----BEGIN CERTIFICATE----- MIIEGTCCAwGgAwIBAgIUan19f7GjSEAYG7fs9VPtVdpZRPUwDQYJKoZIhvcNAQEL BQAwgZsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdBcml6b25hMQ8wDQYDVQQHDAZT ZWRvbmExFTATBgNVBAoMDERvbmFsZCBCYWxlczEuMCwGA1UEAwwlcnBpNC0yZy1l bGFzdGljc2VhcmNoLmRvbmFsZGJhbGVzLmNvbTEiMCAGCSqGSIb3DQEJARYTZG9u QGRvbmFsZGJhbGVzLmNvbTAeFw0yMTAzMDMxNjI0MjBaFw0zMTAzMDExNjI0MjBa MIGbMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHQXJpem9uYTEPMA0GA1UEBwwGU2Vk b25hMRUwEwYDVQQKDAxEb25hbGQgQmFsZXMxLjAsBgNVBAMMJXJwaTQtMmctZWxh c3RpY3NlYXJjaC5kb25hbGRiYWxlcy5jb20xIjAgBgkqhkiG9w0BCQEWE2RvbkBk b25hbGRiYWxlcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCe Dil2puDW5qbeJjfpmooRzyXf1JnQhM7B79XHk4FSIikQFxwd5r5rAsRljOCvS998 1kL0fj+qvJ9Y6TYVjdewfhx6j9VWHwQpnKno0xTAyoaB7e+XgjGWiOCOXSc2EyGM 4PEgUy+HLjD5DEM7MYscRruQcWiWKulaaCNmHw7nESrzQqUQj6V5B8EJInjFb9x4 BE3QcH5Q4sHinYmIPtE9+lCYlV39EgEWH26tp/4/G6ywRS0mcArocmmKuIoDQ8As CmpmT8vF44ALMoQjQlMfcJy32kTSMCq1rgmXhKH1cw5MjzNZ+iK5FICYAlkDM5sb sCssl+6qGeVj0xfStDmVAgMBAAGjUzBRMB0GA1UdDgQWBBQ+Zu2j8ADytgwnbn2f jsuFb2V5dDAfBgNVHSMEGDAWgBQ+Zu2j8ADytgwnbn2fjsuFb2V5dDAPBgNVHRMB Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBUO1W2Usr+l+4pZYc3eFeYDmVg AzTrRzBA3OPHZmfBP4nV9JucjW//IM5hXEpkHyEHaAO/JKVuvDpWnT1shyEKB7Qm r5ImGwgAMOl25xv1ChYFqYNZ91s3+IA01e1GyD3fpu00ezo3/3Oq5fMxtjdLSkCE s/7dC1OdpEa0CXNaOg49fhlTnAKnlhaKevziROhSDOwtdeVikubnXwu1GILW87JK EKskb+othmuQYr0fhzoHLDKXcPo/S+jGBn/BuZ+qMQoey5BeEKjbRNMmZ8xqcwoG l7SrSrCVR6y1eP1en70GSKB0m3whDlxWo4lMkfvHibHTwDgnWsAkLcBkTxJS -----END CERTIFICATE----- /etc/ssl/certs# # Next, we'll edit the file: ca-certificates.crt appending our CA cert to the long list of other CA verts: /etc/ssl/certs# vim ca-certificates.crt /etc/ssl/certs# tail -n 25 ca-certificates.crt -----BEGIN CERTIFICATE----- MIIEGTCCAwGgAwIBAgIUan19f7GjSEAYG7fs9VPtVdpZRPUwDQYJKoZIhvcNAQEL BQAwgZsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdBcml6b25hMQ8wDQYDVQQHDAZT ZWRvbmExFTATBgNVBAoMDERvbmFsZCBCYWxlczEuMCwGA1UEAwwlcnBpNC0yZy1l bGFzdGljc2VhcmNoLmRvbmFsZGJhbGVzLmNvbTEiMCAGCSqGSIb3DQEJARYTZG9u QGRvbmFsZGJhbGVzLmNvbTAeFw0yMTAzMDMxNjI0MjBaFw0zMTAzMDExNjI0MjBa MIGbMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHQXJpem9uYTEPMA0GA1UEBwwGU2Vk b25hMRUwEwYDVQQKDAxEb25hbGQgQmFsZXMxLjAsBgNVBAMMJXJwaTQtMmctZWxh c3RpY3NlYXJjaC5kb25hbGRiYWxlcy5jb20xIjAgBgkqhkiG9w0BCQEWE2RvbkBk b25hbGRiYWxlcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCe Dil2puDW5qbeJjfpmooRzyXf1JnQhM7B79XHk4FSIikQFxwd5r5rAsRljOCvS998 1kL0fj+qvJ9Y6TYVjdewfhx6j9VWHwQpnKno0xTAyoaB7e+XgjGWiOCOXSc2EyGM 4PEgUy+HLjD5DEM7MYscRruQcWiWKulaaCNmHw7nESrzQqUQj6V5B8EJInjFb9x4 BE3QcH5Q4sHinYmIPtE9+lCYlV39EgEWH26tp/4/G6ywRS0mcArocmmKuIoDQ8As CmpmT8vF44ALMoQjQlMfcJy32kTSMCq1rgmXhKH1cw5MjzNZ+iK5FICYAlkDM5sb sCssl+6qGeVj0xfStDmVAgMBAAGjUzBRMB0GA1UdDgQWBBQ+Zu2j8ADytgwnbn2f jsuFb2V5dDAfBgNVHSMEGDAWgBQ+Zu2j8ADytgwnbn2fjsuFb2V5dDAPBgNVHRMB Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBUO1W2Usr+l+4pZYc3eFeYDmVg AzTrRzBA3OPHZmfBP4nV9JucjW//IM5hXEpkHyEHaAO/JKVuvDpWnT1shyEKB7Qm r5ImGwgAMOl25xv1ChYFqYNZ91s3+IA01e1GyD3fpu00ezo3/3Oq5fMxtjdLSkCE s/7dC1OdpEa0CXNaOg49fhlTnAKnlhaKevziROhSDOwtdeVikubnXwu1GILW87JK EKskb+othmuQYr0fhzoHLDKXcPo/S+jGBn/BuZ+qMQoey5BeEKjbRNMmZ8xqcwoG l7SrSrCVR6y1eP1en70GSKB0m3whDlxWo4lMkfvHibHTwDgnWsAkLcBkTxJS -----END CERTIFICATE----- /etc/ssl/certs# exit logout
Configure Akeneo
Now that our self-signed CA certificate is added, we can change the PIM configuration.
~$ # Next, let's edit our PIM's .env file, setting the new location URL for our Elasticsearch host: ~$ cd pim-community-standard/ ~/pim-community-standard$ vim .env ~/pim-community-standard$ cat .env APP_ENV=prod APP_DEBUG=0 APP_DATABASE_HOST=localhost APP_DATABASE_PORT=null APP_DATABASE_NAME=akeneo_pimce APP_DATABASE_USER=akeneo_pimce APP_DATABASE_PASSWORD=akeneo_pimce APP_DEFAULT_LOCALE=en APP_SECRET=ThisTokenIsNotSoSecretChangeIt APP_INDEX_HOSTS=https://akeneo_pimce:[email protected]:443 APP_PRODUCT_AND_PRODUCT_MODEL_INDEX_NAME=akeneo_pim_product_and_product_model_pimce MAILER_URL=null://localhost AKENEO_PIM_URL=http://localhost:8080 APP_ELASTICSEARCH_TOTAL_FIELDS_LIMIT=10000
NOTE:
Our new Elasticsearch host URL:
https://akeneo_pimce:[email protected]:443
specifies the:
- · The protocol as: https (SSL)
- · The username and password as: akeneo_pimce:akeneo_pimce
- · The host name and port as: rpi4-2g-elasticsearch.donaldbales.com:443
It must specify the port, or Akeneo cannot understand the connection here.
~/pim-community-standard$ # Let's test our connection to our new Elasticsearch host:
~/pim-community-standard$ curl -u akeneo_pimce:akeneo_pimce https://rpi4-2g-elasticsearch.donaldbales.com
{
"name" : "rpi4-2g-elasticsearch",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "4rcDGpkYQqKIXTYZUQufIw",
"version" : {
"number" : "7.8.1",
"build_flavor" : "default",
"build_type" : "deb",
"build_hash" : "b5ca9c58fb664ca8bf9e4057fc229b3396bf3a89",
"build_date" : "2020-07-21T16:40:44.668009Z",
"build_snapshot" : false,
"lucene_version" : "8.5.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
~/pim-community-standard$ # That works. So let's try resetting the elasticsearch indexes:
~/pim-community-standard$ bin/console akeneo:elasticsearch:reset-indexes -n
This action will entirely reset the following indexes in the PIM:
akeneo_pim_product_and_product_model_pimce
Resetting the index: akeneo_pim_product_and_product_model_pimce
All the indexes have been successfully reset!
You can now use the command pim:product:index and pim:product-model:index to start re-indexing your product and product models.
~/pim-community-standard$ bin/console pim:product-model:index --all -n
0 [->--------------------------]
0 product models indexed
~/pim-community-standard$ bin/console pim:product:index --all -n
0 [->--------------------------]
0 products indexed
~/pim-enterprise-standard$ # Now we can restart the php fpm services, and test our Akeneo PIM through a browser.
~/pim-enterprise-standard$ sudo service php7.3-fpm restart
Now you know how to configure your Akeneo PIM to use SSL with Elasticsearch using Apache.
Good skill!
