Encrypting communications in Kibana

philshikkim · June 19, 2019, 5:04am

Hello,

English is not my native language. I hope you get my drift.

I want to make a Kibana secure communication using https. So I made this following:

$ openssl genrsa -out server.key 2048

$ openssl req -new -key server.key -out server.csr

$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

$ vi kibana.yml

server.ssl.enabled: true
server.ssl.certificate: /home/phil/elasticsearch-7.1.1/config/server.crt
server.ssl.key: /home/phil/elasticsearch-7.1.1/config/server.key

$ bin/kibana

This is working well. I can connect the Kibana using https protocol. but Kibana shows me following error logs whenever clients connect to Kibana.

</> error [04:49:21.864] [error][client][connection] Error: 140531484981120:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 46</>

Is this a real error log or normal?

or Can I remove this error logs from Kibana?

I tried to use elasticsearch-certutil for making a ssl key and cert file, but it's failed. can't make a key and cert file using elasticsearch-certutil command. So I used openssl command.

Thanks in advance.

lukas · June 19, 2019, 3:12pm

Are you able to connect to Elasticsearch through Kibana using this setup?

philshikkim · June 21, 2019, 12:46am

Yes. I found that Kibana is able to connect to Elasticsearch with this setup.

GET /_cat/health?v

epoch timestamp cluster status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1561077975 00:46:15 elasticsearch yellow 1 1 3 3 0 0 1 0 - 75.0%

Could you give me an example of ealsticsearch-certutil for making a key and a cert file? I tried to do several times. can't make it.

I tried to do like this

$ ./elasticsearch-certutil ca
Please enter the desired output file [elastic-stack-ca.p12]: elastic-stack-ca.p12
Enter password for elastic-stack-ca.p12 :

$ ls /home/phil/elasticsearch-7.1.1/elastic-stack-ca.p12
/home/phil/elasticsearch-7.1.1/elastic-stack-ca.p12

$ ./elasticsearch-certutil cert --ca /home/phil/elasticsearch-7.1.1/elastic-stack-ca.p12
Enter password for CA (/home/phil/elasticsearch-7.1.1/elastic-stack-ca.p12) :
Please enter the desired output file [elastic-certificates.p12]:
Enter password for elastic-certificates.p12 :

$ vi kibana.yml

server.ssl.enabled: true
server.ssl.certificate: /home/phil/elasticsearch-7.1.1/elastic-certificates.p12
server.ssl.key: /home/phil/elasticsearch-7.1.1/elastic-certificates.p12

$ bin/kibana
log [01:13:06.046] [fatal][root] Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
at Object.createSecureContext (_tls_common.js:113:17)
at Server (_tls_wrap.js:870:27)
at new Server (https.js:62:14)
at Object.createServer (https.js:85:10)
at module.exports.internals.Core._createListener (/home/phil/kibana-7.1.1-linux-x86_64/node_modules/hapi/lib/core.js:491:79)
at new module.exports.internals.Core (/home/phil/kibana-7.1.1-linux-x86_64/node_modules/hapi/lib/core.js:112:30)
at new module.exports (/home/phil/kibana-7.1.1-linux-x86_64/node_modules/hapi/lib/server.js:25:18)
at Object.createServer (/home/phil/kibana-7.1.1-linux-x86_64/src/core/server/http/http_tools.js:75:20)
at HttpServer.start (/home/phil/kibana-7.1.1-linux-x86_64/src/core/server/http/http_server.js:40:36)
at HttpService.start (/home/phil/kibana-7.1.1-linux-x86_64/src/core/server/http/http_service.js:46:38)

FATAL Error: error:0906D06C:PEM routines:PEM_read_bio:no start line

$

Thanks in advance.

philshikkim · June 21, 2019, 1:47am

Thanks a lot.

I solved my problem via the following link got from Elastic news e-mail.

philshikkim · June 21, 2019, 7:18am

I found useful information at the Elasticsearch blog page above.

Publicly trusted authorities have very strict standards and auditing practices to ensure that a certificate is not created without validating proper identity ownership. For the purpose of this blog post, we will create a self-signed certificate for Kibana (meaning the generated certificate was signed by using its own private key). Due to clients(Web Browsers) not trusting self-signed Kibana certificates, you will see a message similar to the following in your Kibana logs, until proper trust is established by using certificates generated by an enterprise or public CA (here's the link to the issue in the Kibana repo). This issue does not affect your ability to work in Kibana:

[18:22:31.675] [error][client][connection] Error: 4443837888:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/s3_pkt.c:1498:SSL alert number 46

As a result, Kibana's error logs is normal.

system · July 19, 2019, 7:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.