Hi Team
We are configuring ELK Docker 8.0.0 in our system with SSL Configuration.
- List item
SSL Authentication Between Kibana & End User (Host Machine): Its working fine with Elasticsearch generated CA. Kibana is running over secure HTTPS.
Kibana.yml
volumes:
- certs:/usr/share/kibana/config/certs
Environment:
- SERVERNAME=kibana
- ELASTICSEARCH_HOSTS=https://es01:9200
- ELASTICSEARCH_USERNAME=kibana_system
- ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}
- ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt
- SERVER_SSL_ENABLED=true
- SERVER_SSL_CERTIFICATE=config/certs/Kibana_Server/kibana_server.crt
- SERVER_SSL_KEY=config/certs/Kibana_Server/kibana_server.key
- ELASTICSEARCH_SSL_CERTIFICATE=config/certs/Elastic_Client/elastic_client.crt
- ELASTICSEARCH_SSL_KEY=config/certs/Elastic_Client/elastic_client.key
- XPACK_SECURITY_SAMESITECOOKIES=None
- XPACK_SECURITY_ENABLED=true
Elasticsearch.yml
volumes:
- certs:/usr/share/elasticsearch/config/certs
environment:
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=certs/es01/es01.key
- xpack.security.http.ssl.certificate=certs/es01/es01.crt
- xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.http.ssl.verification_mode=certificate
- xpack.security.transport.ssl.enabled=false
- xpack.security.transport.ssl.key=certs/es01/es01.key
- xpack.security.transport.ssl.certificate=certs/es01/es01.crt
- xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=${LICENSE}
- discovery.type=single-node
- xpack.security.http.ssl.client_authentication=optional
- List item
SSL Authentication Between Elasticsearch & Kibana:
This is getting failed with below errors
- List item
When “xpack.security.http.ssl.client_authentication=optional”
Error: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors","error.stack_trace":"io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
- List item
When “xpack.security.http.ssl.client_authentication=required”
Error: javax.net.ssl.SSLHandshakeException: Empty Client Certificate Chain Error
As per above errors, I think something is missing to configure in ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES. Currently I am giving a path for ca signer which is used to sign all certificate. Do I have to present a chain certificate here for elastic_client.crt. Kindly provide me some suggestion.