Config SSL/TLS Kibana and Elasticsearch

aloalo2242 · November 18, 2020, 10:47am

Hi,

Im trying to enable Fleet in Ingest Manager. And it say I have to enable this xpack.security.authc.api_key.enabled: true in elasticsearch.yml. But if add that line, I have to add bellow line too:

 xpack.security.enabled: true
 xpack.security.authc.api_key.enabled: true
 xpack.security.http.ssl.enabled: true
 xpack.security.http.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
 xpack.security.http.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
 xpack.security.http.ssl.client_authentication: optional
 xpack.security.transport.ssl.enabled: true
 xpack.security.transport.ssl.verification_mode: certificate
 xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
 xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12

And this is my config in kibana.yml

  elasticsearch.hosts: ["https://localhost:9200"]
  xpack.ingestManager.enabled: true
  xpack.ingestManager.fleet.tlsCheckDisabled: true 
  #xpack.encryptedSavedObjects.encryptionKey: ""
  xpack.security.enabled: true
  elasticsearch.username: "elastic"
  elasticsearch.password: "mypassword"
  elasticsearch.ssl.verificationMode: certificate
  elasticsearch.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12

Both Kibana and Elasticsearch status after reboot is Active. I check elasticsearch log and got this response

 [2020-11-18T14:56:42,401][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [node-1] http client did not trust this server's certificate, closing connection Netty4HttpChannel{localAddress=/:9200, remoteAddress=/:63845}
 [2020-11-18T14:56:57,618][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [node-1] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/:9200, remoteAddress=:62987}

And I can't access Kibana web

This site can’t be reached

refused to connect.

Please help me. Thanks!

widhalmt · November 18, 2020, 10:54am

It looks like the trustore you're using has no or a different CA certificate than the one the signed the certificate of your Elasticsearch instances. Could you check that?

aloalo2242 · November 18, 2020, 11:03am

I generate the CA by use this cmd: bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
without create password for the CA. Then I move it to path as above.

widhalmt · November 18, 2020, 12:37pm

This looks like you just put the CA certificate where Kibana client certificate (more exact, the bundle including the client certificate and the CA certificate) should be.

This works just like other http TLS connections. So you need the CA to be known to the various clients and every client needs their own certificate, signed by the CA.

aloalo2242 · November 20, 2020, 2:37am

Thanks for your suggestions, I should use bin/elasticsearch-certutil http and put
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/elasticsearch-ca.pem" ] in kibana.yml
and
xpack.security.http.ssl.keystore.path: "http.p12" in elasticsearch.yml

system · December 18, 2020, 2:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Fleet-Server Certificate issue Kibana elastic-stack-security , fleet	7	513	May 1, 2023
How to config kibana if xpack.security.http.ssl.enabled is false Kibana elastic-stack-security , docker	8	4350	July 19, 2022
ElasticSearch pods are in intializing dstate after configuring xpack security and tls Elasticsearch	1	293	May 11, 2022
Help needed for certificate configuration Elasticsearch	14	957	January 15, 2024
Trying to figure out how to enable x-pack Elasticsearch elastic-stack-security	2	3144	January 28, 2020

Config SSL/TLS Kibana and Elasticsearch

Related topics