Config SSL/TLS Kibana and Elasticsearch

Hi,

Im trying to enable Fleet in Ingest Manager. And it say I have to enable this xpack.security.authc.api_key.enabled: true in elasticsearch.yml. But if add that line, I have to add bellow line too:

 xpack.security.enabled: true
 xpack.security.authc.api_key.enabled: true
 xpack.security.http.ssl.enabled: true
 xpack.security.http.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
 xpack.security.http.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
 xpack.security.http.ssl.client_authentication: optional
 xpack.security.transport.ssl.enabled: true
 xpack.security.transport.ssl.verification_mode: certificate
 xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
 xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12

And this is my config in kibana.yml

  elasticsearch.hosts: ["https://localhost:9200"]
  xpack.ingestManager.enabled: true
  xpack.ingestManager.fleet.tlsCheckDisabled: true 
  #xpack.encryptedSavedObjects.encryptionKey: ""
  xpack.security.enabled: true
  elasticsearch.username: "elastic"
  elasticsearch.password: "mypassword"
  elasticsearch.ssl.verificationMode: certificate
  elasticsearch.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12

Both Kibana and Elasticsearch status after reboot is Active. I check elasticsearch log and got this response

 [2020-11-18T14:56:42,401][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [node-1] http client did not trust this server's certificate, closing connection Netty4HttpChannel{localAddress=/:9200, remoteAddress=/:63845}
 [2020-11-18T14:56:57,618][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [node-1] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/:9200, remoteAddress=:62987}

And I can't access Kibana web :frowning:

This site can’t be reached

refused to connect.

Please help me. Thanks!

It looks like the trustore you're using has no or a different CA certificate than the one the signed the certificate of your Elasticsearch instances. Could you check that?

I generate the CA by use this cmd: bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
without create password for the CA. Then I move it to path as above.

This looks like you just put the CA certificate where Kibana client certificate (more exact, the bundle including the client certificate and the CA certificate) should be.

This works just like other http TLS connections. So you need the CA to be known to the various clients and every client needs their own certificate, signed by the CA.

1 Like

Thanks for your suggestions, I should use bin/elasticsearch-certutil http and put
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/elasticsearch-ca.pem" ] in kibana.yml
and
xpack.security.http.ssl.keystore.path: "http.p12" in elasticsearch.yml