Allow SSL/TLS with self-generated ca certs and keys in localhost

Hello ELK workers,

I'm working on the ELK stack and i manage to install it and make it work on my computer with local data etc... I'm now trying to make the stack use SSL/TLS for transport and http layer. I took the trial for 30 days to use security.

I did the Elasticsearch configuration to connect to localhost with https, here is my elasticsearch.yml file :

node.name: node-1
http.cors.enabled: true
http.cors.allow-origin: "*"
http.max_header_size: 16kb
discovery.seed_hosts: ["127.0.0.1"]
cluster.initial_master_nodes: ["node-1"]
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: none
xpack.security.transport.ssl.key: certs/instance.key
xpack.security.transport.ssl.certificate: certs/instance.crt
xpack.security.transport.ssl.certificate_authorities: ["certs/ca.crt"]
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: certs/instance.key
xpack.security.http.ssl.certificate: certs/instance.crt
xpack.security.http.ssl.certificate_authorities: ["certs/ca.crt"]

I used elasticsearch-certutil tool with ca mode to construct the CA and cert mode to construct the instance key and certificate. All those files are stored in Config/certs folder that i created for each instance of the elk stack. Then i was able to connect to https://localohost:9200

Then i generated with the same tool one key and certificate for kibana (stored in config/certs in kibana folder) and my kibana.yml looks like :

server.host: "localhost"
server.name: "kibana"
elasticsearch.hosts: ["https://localhost:9200"]
elasticsearch.username: "kibana"
elasticsearch.password: "?????????"
server.ssl.enabled: true
server.ssl.key: C:\Users\T6SH\Desktop\Kibana\config\certs\instance.key
server.ssl.certificate: C:\Users\T6SH\Desktop\Kibana\config\certs\instance.crt
elasticsearch.ssl.certificateAuthorities: C:\Users\T6SH\Desktop\Elasticsearch\config\certs\ca.crt

My problem is that i can launch the elasticsearch node, but when i launch my kibana, i got errors saying :

GET https://localhost:9200/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip => unable to verify the first certificate

How do i make the kibana trust my cert ? In the future my company will use a real CA, non-autosigned cert etc... but i kinda need it now to make my test.

Thanks for your help, merry christmas and happy new year !

(sorry for my awful english)

Hi @LuigiDelavega,

Which version of Kibana/Elasticsearch are you working with?

At a glance, your configuration appears correct, so I want to try to reproduce this on my side with the same version you're using. I don't have a windows machine to test on though, so hopefully it's not an OS-specific issue.

Unrelated, you likely won't want to set xpack.security.transport.ssl.verification_mode: none when you deploy to production.

Hey @Larry_Gregory,

I'm working with 7.4.2 stack. I tried to put none to see if it changes something, i put it back at certificate*. Thanks for your time i really appreciate it !

Thanks!

Can you try setting server.ssl.certificateAuthorities as well in your kibana.yml, and point that to the CA used to generate C:\Users\T6SH\Desktop\Kibana\config\certs\instance.crt?

I tried to add it, but i still get the same errors...
GET https://localhost:9200/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip => unable to verify the first certificate
HEAD https://localhost:9200/.apm-agent-configuration => unable to verify the first certificate

I gonna put elasticsearch.ssl.verificationMode: none to work on other axis of the ELK stack, and when i will install the stack on a dedicated server, with the company CA i won't get those errors i think. I spent a lot of time on this already, i did it from scratch twice to be sure i wasn't doing something wrong.

Have a great day and thanks again for the help !

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.