Elasticsearch can't login https://localhost:9200 after setting ssl

Elastic Stack Elasticsearch
,
1

Environment: Win10 WLS2 Ubuntu 20.04, Docker version 20.10.5, Docker-compose version 1.29.0, ELK 7.12.0, nginx version 1.18.0

I have enabled xpack in the last version docker-compose.yml setting and use ./bin/elasticsearch-setup-passwords auto to create accounts and passwords. Login with elastic username and its corresponding password both elasticsearch(http://localhost:9200) and kibana(http://localhost:5601) works fine. The parameter and its value in .env file is correct and the docker-compose.yml file is as below.

version: '2.2'
services:
  elasticsearch:
    image: elasticsearch:7.12.0
    privileged: true
    user: root
    command:
      - /bin/bash
      - -c
      - sysctl -w vm.max_map_count=262144 && su elasticsearch -c bin/elasticsearch
    container_name: elasticsearch
    environment:
      - discovery.type=single-node
      - bootstrap.memory_lock=true
      - xpack.security.enabled=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m -Dhttp.proxyHost=172.23.176.1 -Dhttp.proxyPort=7890 -Dhttps.proxyHost=172.23.176.1 -Dhttps.proxyPort=7890"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - esdata1:/usr/share/elasticsearch/data
      - ./analysis-ik/IKAnalyzer.cfg.xml:/usr/share/elasticsearch/config/analysis-ik/IKAnalyzer.cfg.xml
    ports:
      - 9200:9200
    networks:
      - elastic

  kibana:
    image: kibana:7.12.0
    container_name: kibana
    depends_on: 
      - elasticsearch

    environment:
      - xpack.security.enabled=true
      - ELASTICSEARCH_URL=http://elasticsearch:9200
      - ELASTICSEARCH_USERNAME=kibana_system
      - ELASTICSEARCH_PASSWORD=$KIBANA_SYSTEM_PASSWORD

    ports:
      - 5601:5601
    networks:
      - elastic

volumes:
  esdata1:
    driver: local
networks:
  elastic:
    driver: bridge

To secure the connection, I try to config ssl. I generate .crt and .key files for ca, elasticsearch, kibana with the code below.

openssl req -newkey rsa:4096 \
            -x509 \
            -sha256 \
            -days 3650 \
            -nodes \
            -out elasticsearch.crt \
            -keyout elasticsearch.key \
            -subj "/C=CN/ST=Beijing/L=Beijing/O=XXXX/OU=XXXX"

I follow the official doc's guideline to config docker-compose.yml , but the new version file not work. I have checked that all the .key and .crt file are place in the correct location, I have not add these file to nginx. I can open https://localhost:9200 , but after typing the username elastic and its password, the webpage refresh and is stilled on the original page.

elasticsearch page

As for the Browser's Console of https://localhost:9200, it says Failed to load resource: the server responded with a status of 401 ()

New docker-compose.yml is as below.

version: "2.2"

services:
  elasticsearch:
    image: elasticsearch:${VERSION}
    container_name: elasticsearch
    environment:
      - discovery.type=single-node
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - xpack.license.self_generated.type=basic
      - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.key=$CERTS_DIR/elasticsearch/elasticsearch.key
      - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.security.http.ssl.certificate=$CERTS_DIR/elasticsearch/elasticsearch.crt
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.security.transport.ssl.certificate=$CERTS_DIR/elasticsearch/elasticsearch.crt
      - xpack.security.transport.ssl.key=$CERTS_DIR/elasticsearch/elasticsearch.key
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - data01:/usr/share/elasticsearch/data
      - ./analysis-ik/IKAnalyzer.cfg.xml:/usr/share/elasticsearch/config/analysis-ik/IKAnalyzer.cfg.xml
      # - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - certs:$CERTS_DIR
    ports:
      - 9200:9200
      - 9300:9300
    networks:
      - elastic
    mem_limit: 2g # Delete when deploy in the server

    healthcheck:
      test: curl --cacert $CERTS_DIR/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $? == 52 ]]; then echo 0; else echo 1; fi
      interval: 30s
      timeout: 10s
      retries: 5

  kibana:
    image: kibana:${VERSION}
    container_name: kibana
    depends_on: {elasticsearch}
    depends_on: {"elasticsearch": {"condition": "service_healthy"}}
    ports:
      - 5601:5601
    environment:
      SERVERNAME: localhost
      ELASTICSEARCH_URL: https://elasticsearch:9200
      ELASTICSEARCH_HOSTS: https://elasticsearch:9200
      ELASTICSEARCH_USERNAME: kibana_system
      ELASTICSEARCH_PASSWORD: ${KIBANA_SYSTEM_PASSWORD}
      ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: $CERTS_DIR/ca/ca.crt
      SERVER_SSL_ENABLED: "true"
      SERVER_SSL_KEY: $CERTS_DIR/kibana/kibana.key
      SERVER_SSL_CERTIFICATE: $CERTS_DIR/kibana/kibana.crt
    volumes:
      - certs:$CERTS_DIR
    networks:
      - elastic

volumes:
  data01:
    driver: local
  certs:
    driver: local

networks:
  elastic:
    driver: bridge

Both the code below are not OK.

$ docker run --rm -v es_certs:/certs --network=es_elastic elasticsearch:7.12.0 curl --cacert /certs/ca/ca.crt -u elastic:PASSWORD https://elasticsearch:9200
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

$ docker run --rm -v es_certs:/certs --network=es_elastic elasticsearch:7.12.0 curl --insecure --cacert /certs/ca/ca.crt -u elastic:PASSWORD https://elasticsearch:9200
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   465  100   465    0     0   5109      0 --:--:-- --:--:-- --:--:--  5109
{"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401}

How to fix it?

2

Welcome to our community! :smiley:

That popup looks like nginx, not the Elastic Stack.
What are you using nginx for?

3

Thanks for your quick reply. I want to build up a search engine and need an index page, so I use nginx for ssl security including redirect http 80 port to https 443 port.
So your opinion is that my nginx setting is not correct. Could you give any clues so I can google and try to fix the bug?

4

I would start by removing nginx and then seeing if it goes away.

5

I stopped nginx, but it is still Failed to load resource: the server responded with a status of 401 () failure in console. I think it is not the nginx problem because I have not listen to port 9200 .
Is there any way to reset elk password for docker users?

6

What console?

I am not sure what that means sorry.

Docker doesn't have Elasticsearch users, so I am not sure what you mean there either sorry.

7

Sorry, I did not describe the problem carefully.

This is the console pic

Snipaste_2021-04-15_11-53-54
Snipaste_2021-04-15_11-53-541144×265 71.3 KB

I think it is not the nginx problem because I have not listen to port 9200 .

I use the nginx default setting, it only listen to port 80. So I think it has no relationship with 9200.

Docker doesn't have Elasticsearch users, so I am not sure what you mean there either sorry.
I run ELK

I have use docker elasticseach image, I use docker exec into container and set password.

8

Again, I would suggest you totally remove nginx from this and make sure auth to Elasticsearch works fine.

9

while using docker, it only need to remove the nginx container. And I have tried to remove it, it is still not work, the same problem.

10

In case it help...

Here is how I'm setting that with docker compose ( docker-compose.yml):

---
version: '3'
services:

  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:$ELASTIC_VERSION
    environment:
      - bootstrap.memory_lock=true
      - discovery.type=single-node
      - ELASTIC_PASSWORD=$ELASTIC_PASSWORD
      - xpack.security.enabled=$ELASTIC_SECURITY
    ulimits:
      memlock:
        soft: -1
        hard: -1
    ports:
      - 9200:9200
    networks: ['stack']

  kibana:
    image: docker.elastic.co/kibana/kibana:$ELASTIC_VERSION
    environment:
      - ELASTICSEARCH_USERNAME=elastic
      - ELASTICSEARCH_PASSWORD=$ELASTIC_PASSWORD
    ports: ['5601:5601']
    networks: ['stack']
    links: ['elasticsearch']
    depends_on: ['elasticsearch']

networks:
  stack: {}

.env file is:

ELASTIC_VERSION=7.12.0
ELASTIC_SECURITY=true
ELASTIC_PASSWORD=changeme
11

Thanks for reply. My first docker-compose.yml file is as yours. Yes, it works well. The picture below is what I captured after docker-compose my first docker-compose.yml.

image
image902×716 62 KB

However, I wanted to run the project in production mode, so I had to consider its security. So I config a new docker-compose.yml file (my second config file). It doesn't work.

As for my .env file, it is OK.

VERSION=7.12.0
ELASTICSEARCH_PASSWORD=changeme
KIBANA_SYSTEM_PASSWORD=changeme
COMPOSE_PROJECT_NAME=es
CERTS_DIR=/usr/share/elasticsearch/config/certificates

So is there any clues about solving this problem?

12

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.