Certificate issue with elasticsearch SSL

Hi All,

We have created a self signed certificate for elasticsearch to use elastic through https, all working good with self signed certificate ( which is not a trusted certificate)

Now we got a trusted certificate and now when we try to update the trusted certificate, our kibana is not working, its just says kibana is not ready.

Here are my configurations in elasticsearch.yml

#-------------------------------------TLS/SSL--------------------------------------
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
#xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elastic.demo.com_2020.cer
#xpack.security.transport.ssl.key: /etc/elasticsearch/certs/server.key
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12
#xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
#xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12
#
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
#xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/elastic.demo.com_2020.cer
#xpack.security.http.ssl.key: /etc/elasticsearch/certs/server.key
xpack.security.http.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12
#xpack.security.http.ssl.client_authentication: optional
#xpack.security.http.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
#xpack.security.http.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12
#

In the above configuration elastic-certificates.p12 is my self signed certificate and elastic.demo.com_2020.cer is my authorized certificate.

Configuration in Kibana.yml

# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
server.ssl.enabled: true
#server.ssl.keystore.path: "/etc/kibana/certs/elastic-certificates.p12"
#server.ssl.keystore.password: ""
server.ssl.certificate: /etc/kibana/certs/elastic.demo.com_2020.cer
server.ssl.key: /etc/kibana/certs/server.key

# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files are used to verify the identity of Kibana to Elasticsearch and are required when
# xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key
elasticsearch.ssl.truststore.path: "/etc/kibana/certs/elastic-certificates.p12"
elasticsearch.ssl.truststore.password: ""

# Optional setting that enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]
#elasticsearch.ssl.certificateAuthorities: /etc/kibana/certs/client-ca.cer
elasticsearch.ssl.certificateAuthorities: /etc/kibana/certs/elastic.demo.com_2020.cer
elasticsearch.ssl.key: /etc/kibana/certs/server.key

In the above configuration elastic-certificates.p12 is my self signed certificate and elastic.demo.com_2020.cer is my authorized certificate.

I have been confused i which certificate to use where, sorry for so many commented out lines.

Please advice.

Thanks
Gautham

Please check kibana log and update here

@rijinmp One more update, kibana url is working properly with the authorized certificate.

https://elastic.demo.com:5601

But my elasticsearch is still using non secured connection only (https://elastic.demo.com:9200), once i update elasticsearch.yml with my authorized certificate,
Then 2 problems arise,

  1. Cluster will have only one server (actually i have 2 node cluster)
  2. kibana will not work, it says kibana is not ready.

the log says, no living connections.

{"type":"log","@timestamp":"2021-03-29T14:33:26Z","tags":["warning","elasticsearch","admin"],"pid":29608,"message":"No living connections"}

Thanks
Gauti

This file contains the certificate of your Elasticsearch node. What you need to put in this setting is the CA certificate that has signed elastic.demo.com_2020.cer and you can probably get that from the same team in your organization that gave you elastic.demo.com_2020.cer.

1 Like

I think i got the root cause of the issue.

I have a 2 node cluster and kibana is installed in one of those node and the dns name has been set for the node which holds the kibana and the other node is not added to dns, i think that might be the problem.

I'm not sure how to proceed now, if i add another node to the same dns name then kibana might not work because kibana is installed in only one server.
How to tackle this situation, any advice please.

Thanks
Gautham