Authenticate Elasticsearch <--> Kibana Client Communication (xpack.security.http.ssl.client_authentication)s

Hi Team
We are configuring ELK Docker 8.0.0 in our system with SSL Configuration.

  1. List item

SSL Authentication Between Kibana & End User (Host Machine): Its working fine with Elasticsearch generated CA. Kibana is running over secure HTTPS.

Kibana.yml


volumes:
      - certs:/usr/share/kibana/config/certs
Environment:
      - SERVERNAME=kibana
      - ELASTICSEARCH_HOSTS=https://es01:9200
      - ELASTICSEARCH_USERNAME=kibana_system
      - ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}
      - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt
      - SERVER_SSL_ENABLED=true
      - SERVER_SSL_CERTIFICATE=config/certs/Kibana_Server/kibana_server.crt
      - SERVER_SSL_KEY=config/certs/Kibana_Server/kibana_server.key
      - ELASTICSEARCH_SSL_CERTIFICATE=config/certs/Elastic_Client/elastic_client.crt
      - ELASTICSEARCH_SSL_KEY=config/certs/Elastic_Client/elastic_client.key
      - XPACK_SECURITY_SAMESITECOOKIES=None
      - XPACK_SECURITY_ENABLED=true

Elasticsearch.yml

volumes:
      - certs:/usr/share/elasticsearch/config/certs
environment:
       - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.key=certs/es01/es01.key
      - xpack.security.http.ssl.certificate=certs/es01/es01.crt
      - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
      - xpack.security.http.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.enabled=false
      - xpack.security.transport.ssl.key=certs/es01/es01.key
      - xpack.security.transport.ssl.certificate=certs/es01/es01.crt
      - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.license.self_generated.type=${LICENSE}
      - discovery.type=single-node
      - xpack.security.http.ssl.client_authentication=optional
  1. List item

SSL Authentication Between Elasticsearch & Kibana:

This is getting failed with below errors

  • List item

When “xpack.security.http.ssl.client_authentication=optional”

Error: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors","error.stack_trace":"io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

  • List item

When “xpack.security.http.ssl.client_authentication=required”

Error: javax.net.ssl.SSLHandshakeException: Empty Client Certificate Chain Error

As per above errors, I think something is missing to configure in ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES. Currently I am giving a path for ca signer which is used to sign all certificate. Do I have to present a chain certificate here for elastic_client.crt. Kindly provide me some suggestion.


Please don't post pictures of text, logs or code. They are difficult to read, impossible to search and replicate (if it's code), and some people may not be even able to see them :slight_smile:

Experiencing the same issue.
xpack.security.http.ssl.client_authentication=optional is ok, xpack.security.http.ssl.client_authentication=required causes

"javax.net.ssl.SSLHandshakeException: Empty client certificate chain" at Elasticsearch side.

looks like Elasticsearch is configured properly:

# curl --cacert /etc/kibana/ca.crt --cert-type P12 --cert kibana.p12 https://192.168.1.100:9200
  "name" : "...",
  "cluster_name" : "elasticsearch",
<...>

# curl --cacert /etc/kibana/ca.crt https://192.168.1.100:9200
curl: (56) OpenSSL SSL_read: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate, errno 0

Looks like kibana doesn't send client certificate.
My kibana.yml Elasticsearch related config is:

elasticsearch.hosts: ["https://192.168.1.100:9200"]
elasticsearch.ssl.verificationMode: certificate
elasticsearch.ssl.keystore.path: /etc/kibana/kibana.p12
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/ca.crt" ]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.