Create enrollment for kibana impossible with certificate Lets Encript

abkrim · October 24, 2022, 7:13am

After the problem I indicated in the post I can't get Elastic and Kibana to work with real certificates I was finally able to understand the issue of needing to pass the --url in the command.

But now when I want to generate the renrollmemnt of kibana, a new error, which I am not able to get out of and from which I see a lot of literature, but it does not adapt to the situation.

root@elk2:~# systemctl restart elasticsearch.service && systemctl restart kibana
root@elk2:~# /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -url https://elk2.mydomain.ovh:9200  -vvv
Unexpected http status [401] while attempting to determine cluster health. Will retry at most 5 more times.
This tool will reset the password of the [elastic] user to an autogenerated value.
The password will be printed in the console.
Please confirm that you would like to continue [y/N]y


Password for the [elastic] user successfully reset.
New value: SoMePa$$w0rd
root@elk2:~# /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana --url  https://elk2.mydomain.ovh:9200 -vvvv
Unexpected http status [401] while attempting to determine cluster health. Will retry at most 5 more times.
Unable to create enrollment token for scope [kibana]

ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration is not configured with a keystore

Log elastic

[2022-10-24T07:05:34,618][INFO ][o.e.x.s.a.f.FileUserPasswdStore] [elk2] users file [/etc/elasticsearch/users] changed. updating users...
[2022-10-24T07:05:34,620][INFO ][o.e.x.s.a.f.FileUserRolesStore] [elk2] users roles file [/etc/elasticsearch/users_roles] changed. updating users roles...

Config elastic

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: elk2.endesarrollo.ovh
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
  enabled: true
  key: certs/privkey.pem
  certificate: certs/fullchain.pem
  certificate_authorities: [
    "certs/fullchain.pem",
    "certs/cacert.x1.pem",
  ]
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  #client_authentication: required
  key: certs/privkey.pem
  certificate: certs/fullchain.pem
  certificate_authorities: [
    "certs/fullchain.pem",
    "certs/cacert.x1.pem",
  ]
cluster.initial_master_nodes: ["elk2.endesarrollo.ovh"]
http.host: 0.0.0.0

Apreciate help.

Yang_Wang · October 27, 2022, 12:16am

The error means you need configure your HTTP TLS with a keystore instead of PEM files, specifically, replacing

xpack.security.http.ssl:
  enabled: true
  key: certs/privkey.pem
  certificate: certs/fullchain.pem

With something like

xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12

where http.p12 is a pkcs12 file that contains server's private key and cert. Because of this bug, generating Kibana enrollment token also requires the CA key to be present in the keystore, which may not be possible if you are using a public CA. If that's the case, you'll have to manually configure Kibana

abkrim · October 27, 2022, 5:11am

My issue is not with the self-signed certificates by Elasticseacrh, but with the ones signed by let's encrypt. In fact, the configuration that I indicate has nothing to do with self-signed certificates.

All the best.

Yang_Wang · October 27, 2022, 6:54am

I think there are some misunderstandings. The certs/http.p12 is merely a placeholder name. It does not mean self-signed certificate. What you need to do is create such a pkcs file (with a tool like OpenSSL or keytool) by importing your own private key and cert singed by letsencypt. You can name the file however you want.

system · November 24, 2022, 6:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.