Broke login to kibana

after doing the minimal security configuration (Built-in users | Elasticsearch Guide [8.5] | Elastic) I can no longer log into the kibana webui. the login of the webpage loads, but doesn't accept kibanaadmin and its password (set by "echo "kibanaadmin:openssl passwd -apr1" | sudo tee -a /etc/nginx/htpasswd.users" from How To Install Elasticsearch, Logstash, and Kibana (Elastic Stack) on Ubuntu 20.04 | DigitalOcean)

The webpage replies to my attempt with "Username or password is incorrect. Please try again." I assume the minimal security setup somehow broke kibanaaadmin. But I don't know how, or why, or how to fix it.

/var/log/kibana has the following at each login attempt....

{"type":"log","@timestamp":"2022-12-14T22:19:49+00:00","tags":["info","plugins","security","routes"],"pid":486,"message":"Logging in with provider \"basic\" (basic)"}
{"type":"response","@timestamp":"2022-12-14T22:19:49+00:00","tags":[],"pid":486,"method":"post","statusCode":401,"req":{"url":"/internal/security/login","method":"post","headers":{"connection":"upgrade","host":"x.x.x.x","content-length":"175","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"","content-type":"application/json","kbn-version":"7.17.8","origin":"http://x.x.x.x"},"remoteAddress":"","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0","referer":""},"res":{"statusCode":401,"responseTime":33,"contentLength":277},"message":"POST /internal/security/login 401 33ms - 277.0B"}

If I comment out true then I can log in (with no security) and if I again uncomment it, no login.

Advise Please

I thought maybe I need to create another user, but I can't create another user (as per Elasticsearch Create User) it says

"Start by launching Kibana, then log in. Use the passwords you used when setting up."

But this is the exact password that does not work with " true"

I have done a
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
And I do have the password which I interacted. These users don't log into the web gui either.

I have also, just now, tried
echo "kibanaadmin:openssl passwd -apr1" | sudo tee -a /etc/nginx/htpasswd.users to reset this password after all other work I have done. Notta.

Kibana does not use nginx to manage access control on any level, so your use of if here is really only complicating matters more than they need to be.

Can you try to curl Elasticsearch with one of these? What is the response?

Thanks for the reply! I'm pulling out hair here.

I don't know what you mean but curl from these users. They don't log into the cli, do they? I think these are just 'service' accounts for communication between the idfferen elk apps in the stack.

sudo su - kibana_system
[sudo] password for cygne: 
su: user kibana_system does not exist or the user entry does not contain all the required fields

You want to do curl -u username:password https://ElasticsearchIPorHostname:9200.


curl -u $UN:$PW http://:9200$HN
{"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [kibana_system] for REST request [/]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}}],"type":"security_exception","reason":"unable to authenticate user [kibana_system] for REST request [/]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}},"status":401}c

This sounds like a bad password. Although, I took good notes. How do I reset this password? It says " After you set a password for the elastic user, you cannot run the elasticsearch-setup-passwords command a second time." I can't be the first potential fat finger. (actually, I did buy a new keyboard just before this project)

You can try resetting the password

elasticsearch-reset-password --username user1 -i

it does not appear --username is an option.

sudo /usr/share/elasticsearch/bin/elasticsearch-setup-passwords --help
warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME
Sets the passwords for reserved users

auto - Uses randomly generated passwords
interactive - Uses passwords entered by a user

Non-option arguments:

Option             Description        
------             -----------        
-E <KeyValuePair>  Configure a setting
-h, --help         Show help          
-s, --silent       Show minimal output
-v, --verbose      Show verbose output

I don't think it like that -i either. The command specified (in reference above) is elasticsearch-set-password interactive (no - / or --) and --help spits out the same as above.

Am I looking at a complete re-install? Or can I just reinstall elasticsearch, which seems to be the app that holds the credentials for the others?

$ sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password --help
Resets the password of users in the native realm and built-in users.

Option (* = required)  Description
---------------------  -----------
-E <KeyValuePair>      Configure a setting
-a, --auto
-b, --batch
-f, --force            Use this option to force execution of the command
                         against a cluster that is currently unhealthy.
-h, --help             Show help
-i, --interactive
-s, --silent           Show minimal output
* -u, --username       The username of the user whose password will be reset
--url                  the URL where the elasticsearch node listens for
-v, --verbose          Show verbose output

ahh tanks. I got it.

root@ip-172-31-19-233:/home# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME
Failed to authenticate user 'elastic' against
Possible causes include:
 * **The password for the 'elastic' user has already been changed on this cluster**
** * Your elasticsearch node is running against a different keystore**
   This tool used the keystore at /etc/elasticsearch/elasticsearch.keystore
ERROR: Failed to verify bootstrap password

Is borked? proper borked.


/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

is an option, then I wouldn't know the passwords for those usernames and I would not be able to login at the kibana web gui with one of those usernames. I don't use what was set with htpasswd (kibanaadmin) who/what then, do I use to log into the web interface?

i've decided to change gears and drop digitaloceans tutorial and go with With which, I did get farther, but got stuck again. I will open a new thread for that problem.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.