Cannot Enable Kibana for SSL

Hi,

I am getting this error when accessing kibana though my elasticsearch is working fine.

I have configured my kibana.yml this way:
server.ssl.cert: D:\Elasticsearch 5.2.2\elasticsearch-5.2.2\config\x-pack\instancename.crt (same with elastic)
server.ssl.key: D:\Elasticsearch 5.2.2\elasticsearch-5.2.2\config\x-pack\instancename.key (same with elastic)
elasticsearch.ssl.ca: D:\Elasticsearch 5.2.2\kibana-5.2.2-windows-x86\plugins\x-pack\ca.pem (same with elastic)

elasticsearch.url: https://instancename.com:9200

xpack.security.encryptionKey: "Elasticsearch123456789009876543211234567890"
xpack.security.sessionTimeout: 600000
xpack.security.secureCookies: true
xpack.security.cookieName: "sid"

This behavior is correct actually. It looks like your Kibana instance is using https, but the certificate hasn't been signed by a Certificate Authority your browser trusts so it marks the page as untrusted. You have three options basically.

  1. Live with this warning
  2. Import the CA certificate generated by certgen into your browser
  3. Get your Kibana certificate signed by a proper CA. You can read more about how to generate a certificate signing request here:
    https://www.elastic.co/guide/en/x-pack/current/ssl-tls.html#generating-csr

Good luck.

Hi.

Upon checking, both ca.crt and server.crt/instancename.crt have been imported.

I'm not sure why Kibana is not reading this certificates. I have also tried importing the cert in Google Chrome by using this method:

Please advise! Thanks!

I tested this on my end to ensure things worked as expected. I did run into an issue by double clicking the CA certificate to install it rather than using the import feature from the "Manage Certificates" option in Chrome. The former wouldn't work, the latter did.

Also make sure the certificate is in the "Trusted Root Certification Authorities" tab when you view the Certificates manager.

You should also verify the Kibana certificate has the correct hostname.

Hi,

May you clarify this part of the document?

Is the server.key and server.crt the same with the node01.key and node01.crt generated in Certgen? Or we need to generate another .key and .crt which Kibana will connect to? Also, what is the subjectAltName the document is referring to? As per checking, if I create another certificate for Kibana they should have the same IP and FQDN since Elasticsearch and Kibana are configured on the same server.

Please advise! Thanks.

If you used certgen the subjectAltName should be oK (its' just where the DNS and IP address information is held). For example:

$ openssl x509 -in kibana.crt -text | grep -A 1 Alternative
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1

You should very the DNS and IP Address in the certificate are correct using the above command.

As for sharing the same certificate between various services. It's easier from a management perspective. There are some very esoteric reasons not to do this, but in reality the risk is minimal. If you want to share the certificate you probably won't have any problems.

You're access Kibana via localhost.

Unless you generated the certificate for "localhost" then that's likely to be the cause of your problem.
The hostname you enter into your browser has to match the hostname that you used when generating the certificate.

If that doesn't solve the problem, then you will need to investigate why your browser is rejecting the certificate. In chrome, you need to use the developer tools and look at the security tab. That will tell you what Chrome thinks is wrong with your certificate - otherwise we're just guessing.

Hi All,

As per checking, certificate is valid but there is connection issues.

Do we need to configure something for this? Thanks!

Also, same issue occurs even if I point the URL to the hostname's DNS. Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.