Creation of SSL Certs Assistance

sancroth · August 10, 2017, 8:20am

We have created a test setup to use elastic in production next month.
Our current setup related to Elastic is a single node with 16gigs.

Personally i do not have knowledge of creating certs etc so if i say something wrong please have this in mind.

A colleague of mine suggested that we should create one cert for Kibana and one cert for the Elastic Node so we went that way.From what i read though i understood that we should only create certs for nodes. But since i lack the experience i followed his suggestions.

Cert creation

Enter instance name: Artorias
Enter name for directories and files [Artorias]:
Enter IP Addresses for instance (comma-separated if more than one) []: 127.0.0.1
Enter DNS names for instance (comma-separated if more than one) []: localhost
Would you like to specify another instance? Press 'y' to continue entering instance information: y
Enter instance name: Kibana
Enter name for directories and files [Kibana]:
Enter IP Addresses for instance (comma-separated if more than one) []: 76.67.76.67
Enter DNS names for instance (comma-separated if more than one) []: Kibanatest.mydomain.com

Public IP's,domains etc are not the real ones

Then unzipped the cert files created and edited the yml files.

elastic.yml

xpack.ssl.key:                     /etc/elasticsearch/Artorias/Artorias.key 
xpack.ssl.certificate:             /etc/elasticsearch/Artorias/Artorias.crt 
xpack.ssl.certificate_authorities: [ "/etc/elasticsearch/ca/ca.crt" ]
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.audit.enabled: true

kibana.yml

elasticsearch.url: "https://127.0.0.1:9200"
server.host: "0.0.0.0"
server.port: 5601
elasticsearch.username: "kibana"
elasticsearch.password: "@kibana@"
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/Kibana/Kibana.crt
server.ssl.key: /etc/kibana/Kibana/Kibana.key
elasticsearch.ssl.certificate: /etc/elasticsearch/Artorias/Artorias.crt
elasticsearch.ssl.key: /etc/elasticsearch/Artorias/Artorias.key
elasticsearch.ssl.verificationMode: none

Passwords and usernames shown above are not the real ones

Also changed the kibana and elasticsearch passwords using curl.

After all that when we try to connect to kibana we get "Error to many redirects".
Using curl to localhost:9200 returns a security error and suggests to use --insecure.

curl -u elastic https://127.0.0.1:9200

curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

EDIT: While making this post we noticed this piece of commented code :

# When this setting's value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host
# that connects to this Kibana instance.
#elasticsearch.preserveHost: true

Which led us to changed this piece of the kibana.yml which actually allowed us to login on kibana :

# The Kibana server's name.  This is used for display purposes.
server.name: "localhost"

The previous value was "your-hostname" and was commented out.
But since it states that it is for display purposes only i cannot understand why this could create an error

Can you please take a look on our configurations?
Is there anything wrong that we need to change?
The fact that we made it work doesn't mean it's actually correct and optimal.

Also any suggestions would be great.

chrisronline · August 15, 2017, 6:47pm

Hey Nick,

Sorry for the delay.

Just to clarify:

# When this setting's value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host
# that connects to this Kibana instance.
#elasticsearch.preserveHost: true

This comment aligns with this Kibana config:

# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
#server.host: "localhost"

Did you update that config as well, or is it still commented out?

Thanks

sancroth · August 16, 2017, 8:47am

Chris thank you a lot for your reply.

This line :
#elasticsearch.preserveHost: true
remains commented out.

chrisronline · August 16, 2017, 1:50pm

Hey Nick,

How about server.host within kibana.yml?

Thanks

sancroth · August 16, 2017, 1:58pm

# Kibana is served by a back end server. This setting specifies the port to use.
server.port: 5601

# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: "0.0.0.0"

# Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects
# the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests
# to Kibana. This setting cannot end in a slash.
#server.basePath: ""

# The maximum payload size in bytes for incoming server requests.
#server.maxPayloadBytes: 1048576

# The Kibana server's name.  This is used for display purposes.
server.name: "localhost"

# The URL of the Elasticsearch instance to use for all your queries.
elasticsearch.url: "https://127.0.0.1:9200"

# When this setting's value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host
# that connects to this Kibana instance.
#elasticsearch.preserveHost: true

# Kibana uses an index in Elasticsearch to store saved searches, visualizations and
# dashboards. Kibana creates a new index if the index doesn't already exist.
#kibana.index: ".kibana"

# The default application to load.
#kibana.defaultAppId: "discover"

# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
elasticsearch.username: "kibana"
elasticsearch.password: "Supersecurekibanapassword"

# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/Kibana/Kibana.crt
server.ssl.key: /etc/kibana/Kibana/Kibana.key

# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files validate that your Elasticsearch backend uses the same key files.
elasticsearch.ssl.certificate: /etc/elasticsearch/Artorias/Artorias.crt
elasticsearch.ssl.key: /etc/elasticsearch/Artorias/Artorias.key

# Optional setting that enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]

# To disregard the validity of SSL certificates, change this setting's value to 'none'.
elasticsearch.ssl.verificationMode: none

# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500

# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
# must be a positive integer.
#elasticsearch.requestTimeout: 30000

# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
# headers, set this value to [] (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]

# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
#elasticsearch.customHeaders: {}

# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
#elasticsearch.shardTimeout: 0

# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.
#elasticsearch.startupTimeout: 5000

# Specifies the path where Kibana creates the process ID file.
#pid.file: /var/run/kibana.pid

# Enables you specify a file where Kibana stores log output.
logging.dest: /var/log/kibana/kibana.log

# Set the value of this setting to true to suppress all logging output.
#logging.silent: false

# Set the value of this setting to true to suppress all logging output other than error messages.
#logging.quiet: false

# Set the value of this setting to true to log all events, including system usage information
# and all requests.
#logging.verbose: false

# Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 5000.
#ops.interval: 5000

# The default locale. This locale can be used in certain circumstances to substitute any missing
# translations.
#i18n.defaultLocale: "en"

Blockquote

This is the whole conf file Chris.

system · September 13, 2017, 1:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.