Authenticate Elasticsearch <--> Kibana Client Communication (xpack.security.http.ssl.client_authentication)s

Lokesh_Sachdeva · May 18, 2022, 9:04am

Hi Team
We are configuring ELK Docker 8.0.0 in our system with SSL Configuration.

List item

SSL Authentication Between Kibana & End User (Host Machine): Its working fine with Elasticsearch generated CA. Kibana is running over secure HTTPS.

Kibana.yml


volumes:
      - certs:/usr/share/kibana/config/certs
Environment:
      - SERVERNAME=kibana
      - ELASTICSEARCH_HOSTS=https://es01:9200
      - ELASTICSEARCH_USERNAME=kibana_system
      - ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}
      - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt
      - SERVER_SSL_ENABLED=true
      - SERVER_SSL_CERTIFICATE=config/certs/Kibana_Server/kibana_server.crt
      - SERVER_SSL_KEY=config/certs/Kibana_Server/kibana_server.key
      - ELASTICSEARCH_SSL_CERTIFICATE=config/certs/Elastic_Client/elastic_client.crt
      - ELASTICSEARCH_SSL_KEY=config/certs/Elastic_Client/elastic_client.key
      - XPACK_SECURITY_SAMESITECOOKIES=None
      - XPACK_SECURITY_ENABLED=true

Elasticsearch.yml

volumes:
      - certs:/usr/share/elasticsearch/config/certs
environment:
       - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.key=certs/es01/es01.key
      - xpack.security.http.ssl.certificate=certs/es01/es01.crt
      - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
      - xpack.security.http.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.enabled=false
      - xpack.security.transport.ssl.key=certs/es01/es01.key
      - xpack.security.transport.ssl.certificate=certs/es01/es01.crt
      - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.license.self_generated.type=${LICENSE}
      - discovery.type=single-node
      - xpack.security.http.ssl.client_authentication=optional

List item

SSL Authentication Between Elasticsearch & Kibana:

This is getting failed with below errors

List item

When “xpack.security.http.ssl.client_authentication=optional”

Error: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors","error.stack_trace":"io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

List item

When “xpack.security.http.ssl.client_authentication=required”

Error: javax.net.ssl.SSLHandshakeException: Empty Client Certificate Chain Error

As per above errors, I think something is missing to configure in ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES. Currently I am giving a path for ca signer which is used to sign all certificate. Do I have to present a chain certificate here for elastic_client.crt. Kindly provide me some suggestion.

warkolm · May 19, 2022, 4:22am

Please don't post pictures of text, logs or code. They are difficult to read, impossible to search and replicate (if it's code), and some people may not be even able to see them

psylity · May 30, 2022, 10:30am

Experiencing the same issue.
xpack.security.http.ssl.client_authentication=optional is ok, xpack.security.http.ssl.client_authentication=required causes

"javax.net.ssl.SSLHandshakeException: Empty client certificate chain" at Elasticsearch side.

looks like Elasticsearch is configured properly:

# curl --cacert /etc/kibana/ca.crt --cert-type P12 --cert kibana.p12 https://192.168.1.100:9200
  "name" : "...",
  "cluster_name" : "elasticsearch",
<...>

# curl --cacert /etc/kibana/ca.crt https://192.168.1.100:9200
curl: (56) OpenSSL SSL_read: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate, errno 0

Looks like kibana doesn't send client certificate.
My kibana.yml Elasticsearch related config is:

elasticsearch.hosts: ["https://192.168.1.100:9200"]
elasticsearch.ssl.verificationMode: certificate
elasticsearch.ssl.keystore.path: /etc/kibana/kibana.p12
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/ca.crt" ]

system · June 27, 2022, 10:31am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana issue connecting to elasticsearch via https Kibana docker	2	694	June 17, 2022
ElasticSearch With Logstash SSL communication error Logstash elastic-stack-security , docker	4	393	April 9, 2024
Kibana <---> Elasticsearch integration with SSL enable Kibana elastic-stack-security , docker	6	481	September 16, 2022
Kibana SAML authentication issue Elasticsearch elastic-stack-security	16	8019	March 14, 2018
How to config kibana if xpack.security.http.ssl.enabled is false Kibana elastic-stack-security , docker	8	4296	July 19, 2022

Authenticate Elasticsearch <--> Kibana Client Communication (xpack.security.http.ssl.client_authentication)s

Related Topics