After SSL was enabled, Kibana is not working

Elastic Stack Kibana
1

Hi,

Do you have any idea why Kibana is not connecting but Elasticsearch is accessible via https. As per checking in the security of Google Chrome, the certificate is valid. When SSL was not enabled, both Elasticsearch and Kibana were working fine.

image.png530×773 36.6 KB

This is my kibana.yml file:

server.ssl.cert: D:\Elasticsearch 5.2.2\elasticsearch-5.2.2\config\x-pack\CTLSQL12WPPOC.crt
server.ssl.key: D:\Elasticsearch 5.2.2\elasticsearch-5.2.2\config\x-pack\CTLSQL12WPPOC.key

elasticsearch.url: https://ctlsql12wppoc.dir.com:9200/
elasticsearch.ssl.ca: D:\Elasticsearch 5.2.2\elasticsearch-5.2.2\config\x-pack\ca.pem
elasticsearch.user: elastic
elasticsearch.password: changeme
console.enabled: true

xpack.security.encryptionKey: "elasticsearch123456789009876543211234567890"
xpack.security.sessionTimeout: 600000
xpack.security.cookieName: "sid"

elasticsearch.yml file:

xpack.ssl.key: 'D:\Elasticsearch 5.2.2\elasticsearch-5.2.2\config\x-pack\CTLSQL12WPPOC.key'
xpack.ssl.certificate: 'D:\Elasticsearch 5.2.2\elasticsearch-5.2.2\config\x-pack\CTLSQL12WPPOC.crt'
xpack.ssl.certificate_authorities: [ 'D:\Elasticsearch 5.2.2\elasticsearch-5.2.2\config\x-pack\ca.crt' ]
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.enabled: true

xpack.security.authc:
  realms:

    active_directory:
      type: active_directory
      order: 0
      domain_name: dir.com
      ssl:
        certificate_authorities: [ 'D:\Elasticsearch 5.2.2\elasticsearch-5.2.2\config\x-pack\ca.pem' ]
    native:
      type: native
      order: 1
2

Can you please post the logs from Kibana? Alos, some observations:

  • Kibana has to validate the SSL connection with Elasticsearch, so both must use the same certificate to make a successful connection. In kibana.yml, the properties for this validation are:
    elasticsearch.ssl.key elasticsearch.ssl.cert elasticsearch.ssl.ca
    And in elasticsearch.yml, those properties are:
    xpack.ssl.key xpack.ssl.certificate xpack.ssl.certificate_authorities
    They must have the path for the same certificate, certificate authority and private key

  • server.ssl.key and server.ssl.cert properties are for the certificates that validates the SSL connection between Kibana and the browser. Generally, if you have a self signed certificate, the browser will send the alert, but there won't be any problems on accesing Kibana if you make an exception. But, it is recommended to generate a different certificate for this.

3

Hi Prodrg,

May I know what contains these files: server.ssl.key and server.ssl.cert? How do I make these certificates valid using certgen so that I can make a connection between Kibana and browser? I'm using the same FQDN and IP since both Elasticsearch and Kibana are configured on the same server? I assumed that these files elasticsearch.ssl.key and elasticsearch.ssl.cert are the same with server.ssl.key and server.ssl.cert? Thanks!

4

  • server.ssl.key has the .key or .pem file and server.ssl.cert contains the .crt or .pem file.

  • If everything is on the same server, you can try using the same certificate made for Elasticsearch (it may work). If you want to create another certificate, just follow the same steps on the certgen program but name it differently compared to the Elasticsearch certificate, and later, point server.ssl.key and server.ssl.cert to the generated files (the ca files are not needed in this case). If it doesn't work, you can post the logs, to see if you are still receiving a refused connection.

5

Hi prodrg,

I think there is no connection between ES and Kibana. But I just provided the same IP and DNS of the server for these values elasticsearch.ssl.key, elasticsearch.ssl.cert, server.ssl.key and server.ssl.cert (Sorry I cannot show the IP Address but it is the IP of the server).

1386×176 12.5 KB

Even if I change the elasicsearch_url to the https://Hostname or FQDN or localhost:9200. There is still no connection between the two. Also, this is how I converted my CRT to PEM:
$ openssl x509 -text -in hostname.crt -out hostname.crt.pem

KEY to PEM:
$ openssl rsa -in hostname.key -out hostname.key.pem -outform PEM

This is my certgen values:

bin/x-pack/certgen
Please enter the desired output file [/home/es/config/x-pack/certificate-bundle.zip]: just hit enter
Enter instance name: hostname or servername but not the FQDN
Enter name for directories and files [Hostname]: just hit enter
Enter IP Addresses for instance (comma-separated if more than one) : Hostname IP Address
Enter DNS names for instance (comma-separated if more than one) : Hostname.ds.com or FQDN

Same goes for the other nodes.

Please advise! thanks.

6

Okay, the certgen process looks fine, though, and the pem file generation I am not sure, because it worked by using the crt and key files, but I guess they are valid.

Can you really connect to "https://:9200/"? If you can, so at least the problem is setting Kibana to use SSL. You can follow this guide to secure Kibana and check if there is no step missing.

7

Hi,

Currently, I am encountering this issue if i access https://localhost:5601/app/kibana

image.png1037×665 59.1 KB

This is my new kibana.yml:

logging.dest: D:\Elasticsearch 5.2.2\kibana-5.2.2-windows-x86\config\Kibana.log
logging.verbose: true

elasticsearch.url: https://hostname.ad.com:9200 (just sample)
elasticsearch.username: kibana
elasticsearch.password: changeme
console.enabled: true

elasticsearch.ssl.cert: D:\Elasticsearch 5.2.2\elasticsearch-5.2.2\config\x-pack\CTLSQL12WPPOC.crt
elasticsearch.ssl.key: D:\Elasticsearch 5.2.2\elasticsearch-5.2.2\config\x-pack\CTLSQL12WPPOC.key
elasticsearch.ssl.ca: D:\Elasticsearch 5.2.2\elasticsearch-5.2.2\config\x-pack\ca.pem

server.ssl.key: D:\Elasticsearch 5.2.2\elasticsearch-5.2.2\config\x-pack\CTLSQL12WPPOC.key
server.ssl.cert: D:\Elasticsearch 5.2.2\elasticsearch-5.2.2\config\x-pack\CTLSQL12WPPOC.crt

xpack.reporting.encryptionKey: "elasticsearch123456789009876543211234567890"
xpack.security.encryptionKey: "elastic123456789009876543211234567890"
xpack.security.sessionTimeout: 1800000
xpack.security.cookieName: "sid"
xpack.security.secureCookies: true

Also, this is thecurrent kibana.log:

{"rss":99397632,"heapTotal":81551360,"heapUsed":71902352},"delay":1.1906659603118896},"load":{"requests":{},"concurrents":{"5601":0},"responseTimes":{},"sockets":{"http":{"total":0},"https":{"total":0}}},"message":"memory: 68.6MB uptime: 0:07:11 load: [0.00 0.00 0.00] delay: 1.191"}
{"type":"log","@timestamp":"2017-04-01T02:10:29Z","tags":["debug","monitoring-ui"],"pid":172048,"message":"Received Monitoring event data"}
{"type":"log","@timestamp":"2017-04-01T02:10:29Z","tags":["plugin","debug"],"pid":172048,"message":"Checking Elasticsearch version"}
{"type":"log","@timestamp":"2017-04-01T02:10:29Z","tags":["license","debug","xpack"],"pid":172048,"message":"Calling Elasticsearch _xpack API"}
{"type":"log","@timestamp":"2017-04-01T02:10:30Z","tags":["debug","monitoring-ui"],"pid":172048,"message":"Sending Monitoring payload to Elasticsearch"}
{"type":"log","@timestamp":"2017-04-01T02:10:30Z","tags":["plugin","debug"],"pid":172048,"message":"Checking Elasticsearch version"}
{"type":"log","@timestamp":"2017-04-01T02:10:31Z","tags":["plugin","debug"],"pid":172048,"message":"Checking Elasticsearch version"}
{"type":"log","@timestamp":"2017-04-01T02:10:33Z","tags":["plugin","debug"],"pid":172048,"message":"Checking Elasticsearch version"}
{"type":"ops","@timestamp":"2017-04-01T02:10:34Z","tags":[],"pid":172048,"os":{"load":[0,0,0],"mem":{"total":4294361088,"free":439205888},"uptime":597975.7565101},"proc":{"uptime":436.029,"mem":{"rss":99491840,"heapTotal":81551360,"heapUsed":71996464},"delay":1.3328759670257568},"load":{"requests":{},"concurrents":{"5601":0},"responseTimes":{},"sockets":{"http":{"total":0},"https":{"total":0}}},"message":"memory: 68.7MB uptime: 0:07:16 load: [0.00 0.00 0.00] delay: 1.333"}
{"type":"log","@timestamp":"2017-04-01T02:10:34Z","tags":["debug","monitoring-ui"],"pid":172048,"message":"Received Monitoring event data"}
{"type":"log","@timestamp":"2017-04-01T02:10:34Z","tags":["plugin","debug"],"pid":172048,"message":"Checking Elasticsearch version"}
{"type":"log","@timestamp":"2017-04-01T02:10:35Z","tags":["plugin","debug"],"pid":172048,"message":"Checking Elasticsearch version"}
{"type":"log","@timestamp":"2017-04-01T02:10:36Z","tags":["plugin","debug"],"pid":172048,"message":"Checking Elasticsearch version"}
{"type":"log","@timestamp":"2017-04-01T02:10:38Z","tags":["plugin","debug"],"pid":172048,"message":"Checking Elasticsearch version"}
{"type":"ops","@timestamp":"2017-04-01T02:10:39Z","tags":[],"pid":172048,"os":{"load":[0,0,0],"mem":{"total":4294361088,"free":442843136},"uptime":597980.7626259},"proc":{"uptime":441.034,"mem":{"rss":99442688,"heapTotal":81551360,"heapUsed":71942964},"delay":1.151718020439148},"load":{"requests":{},"concurrents":{"5601":0},"responseTimes":{},"sockets":{"http":{"total":0},"https":{"total":0}}},"message":"memory: 68.6MB uptime: 0:07:21 load: [0.00 0.00 0.00] delay: 1.152"}
{"type":"log","@timestamp":"2017-04-01T02:10:39Z","tags":["debug","monitoring-ui"],"pid":172048,"message":"Received Monitoring event data"}
{"type":"log","@timestamp":"2017-04-01T02:10:39Z","tags":["plugin","debug"],"pid":172048,"message":"Checking Elasticsearch version"}
{"type":"log","@timestamp":"2017-04-01T02:10:40Z","tags":["debug","monitoring-ui"],"pid":172048,"message":"Sending Monitoring payload to Elasticsearch"}
{"type":"log","@timestamp":"2017-04-01T02:10:40Z","tags":["plugin","debug"],"pid":172048,"message":"Checking Elasticsearch version"}
{"type":"log","@timestamp":"2017-04-01T02:10:41Z","tags":["plugin","debug"],"pid":172048,"message":"Checking Elasticsearch version"}
{"type":"log","@timestamp":"2017-04-01T02:10:43Z","tags":["plugin","debug"],"pid":172048,"message":"Checking Elasticsearch version"}
{"type":"ops","@timestamp":"2017-04-01T02:10:44Z","tags":[],"pid":172048,"os":{"load":[0,0,0],"mem":{"total":4294361088,"free":441860096},"uptime":597985.7629266},"proc":{"uptime":446.034,"mem":{"rss":99450880,"heapTotal":81551360,"heapUsed":71980468},"delay":1.0620440244674683},"load":{"requests":{},"concurrents":{"5601":0},"responseTimes":{},"sockets":{"http":{"total":0},"https":{"total":0}}},"message":"memory: 68.6MB uptime: 0:07:26 load: [0.00 0.00 0.00] delay: 1.062"}
{"type":"log","@timestamp":"2017-04-01T02:10:44Z","tags":["debug","monitoring-ui"],"pid":172048,"message":"Received Monitoring event data"}
{"type":"log","@timestamp":"2017-04-01T02:10:44Z","tags":["plugin","debug"],"pid":172048,"message":"Checking Elasticsearch version"}

Also, I have installed the certificates on the server. Do you have an idea why error is still existing? I have followed the steps in the link you have provided. Thanks!

8

Hi Prodrg,

I think SAN should be created for Kibana since certificates are for Elasticsearch only? Can you verify because Kibana is not permitted by the browser to connect to the certificate?

image.png836×523 17.3 KB
\

Thanks.

9

Okay, if Chrome is telling you that there is a ERR_CERT_COMMON_NAME_INVALID, so you are putting wrong information on the instance name when generating the certificate. Remember that the instance name should be the hostname of the server.

1 Like
10

Hi Prodrg,

I think I have provided the correct hostname since hostname is just the same with the server name. Should instance name be in FQDN or server name only? Thanks.

11

Provide only the server name.

12

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.