Error: ENOENT: no such file or directory, open 'config/kibana-server.key'

ograso · May 6, 2021, 9:59pm

I have an issue about setting up basic security for the Elastic Stack plus secured HTTPS traffic when I try to set on kibana.yml.
Elastic is working and reachable over https but I receive an error are as follow when I try to start kibana;

I stucked and didnt understand why this is happened.

journalctl -u kibana

FATAL Error: ENOENT: no such file or directory, open 'config/kibana-server.key'

and also got more details when I allow root priviledge;

root@es-master-01:/etc/kibana# /usr/share/kibana/bin/kibana -c /etc/kibana/kibana.yml --allow-root
  log   [21:38:01.076] [info][plugins-service] Plugin "osquery" is disabled.
  log   [21:38:01.158] [warning][config][deprecation] Config key [monitoring.cluster_alerts.email_notifications.email_address] will be required for email notifications to work in 8.0."
  log   [21:38:01.178] **[fatal][root] Error: error:0909006C:PEM routines:get_name:no start line**
    at Object.createSecureContext (_tls_common.js:129:17)
    at Server.setSecureContext (_tls_wrap.js:1323:27)
    at Server (_tls_wrap.js:1181:8)
    at new Server (https.js:66:14)
    at Object.createServer (https.js:91:10)
    at module.exports.internals.Core._createListener (/usr/share/kibana/node_modules/@hapi/hapi/lib/core.js:539:79)
    at new module.exports.internals.Core (/usr/share/kibana/node_modules/@hapi/hapi/lib/core.js:133:30)
    at new module.exports (/usr/share/kibana/node_modules/@hapi/hapi/lib/server.js:23:18)
    at createServer (/usr/share/kibana/src/core/server/http/http_tools.js:108:18)
    at HttpServer.setup (/usr/share/kibana/src/core/server/http/http_server.js:90:48)
    at HttpService.runNotReadyServer (/usr/share/kibana/src/core/server/http/http_service.js:165:26)
    at HttpService.setup (/usr/share/kibana/src/core/server/http/http_service.js:80:18)
    at Server.setup (/usr/share/kibana/src/core/server/server.js:192:23)
    at Root.setup (/usr/share/kibana/src/core/server/root/index.js:47:14)
    at bootstrap (/usr/share/kibana/src/core/server/bootstrap.js:99:5)
    at Command.<anonymous> (/usr/share/kibana/src/cli/serve/serve.js:169:5) {
  library: 'PEM routines',
  function: 'get_name',
  reason: 'no start line',
  code: 'ERR_OSSL_PEM_NO_START_LINE'
}

elasticsearch.yml

cluster.name: "ELK_Stack"
node.name: es-master-01.
node.master: true 
node.data: true  
cluster.initial_master_nodes: "192.168.1.10"

path:
  data: /var/lib/elasticsearch
  logs: /var/log/elasticsearch

network.host: 0.0.0.0 
discovery.zen.minimum_master_nodes: 1

discovery.seed_hosts: ["192.168.1.10", "192.168.1.12"] 

xpack.security.enabled: true

# Transport layer
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12


# HTTP layer
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.keystore.path: "elasticsearch/es-master-01/http.p12"

kibana.yml

server.port: 5601

server.host: "0.0.0.0"

server.name: es-master-01

elasticsearch.hosts: ["https://192.168.1.10:9200"]

elasticsearch.username: "kibana_system"
elasticsearch.password: "xxxXXxxx"

elasticsearch.ssl.certificateAuthorities: [ "config/elasticsearch-ca.pem" ]

server.ssl.enabled: true
server.ssl.certificate: config/kibana-server.csr
server.ssl.key: config/kibana-server.key

xpack.security.enabled: true
xpack.encryptedSavedObjects.encryptionKey: 'asmndbaskdhaskdhasdaksjhdkasda'

ograso · May 6, 2021, 10:48pm

Sorry by the way, I forgot the add "kibana.service" content.

[Unit]
Description=Kibana
Documentation=https://www.elastic.co
Wants=network-online.target
After=network-online.target

[Service]
Type=simple
User=kibana
Group=kibana

Environment=KBN_HOME=/usr/share/kibana
Environment=KBN_PATH_CONF=/etc/kibana

EnvironmentFile=-/etc/default/kibana
EnvironmentFile=-/etc/kibana <--- Added for test.....
EnvironmentFile=-/etc/sysconfig/kibana

ExecStart=/usr/share/kibana/bin/kibana -c /etc/kibana/kibana.yml
#ExecStart=/usr/share/kibana/bin/kibana --logging.dest="/var/log/kibana/kibana.log" --pid.file="/run/kibana/kibana.pid"

Restart=on-failure
RestartSec=3

StartLimitBurst=3
StartLimitInterval=60

WorkingDirectory=/usr/share/kibana

StandardOutput=journal
StandardError=inherit

[Install]
WantedBy=multi-user.target

TimV · May 7, 2021, 4:09am

The obvious (most likely) answer is that the config/kibana-server.key file, which you reference here:

doesn't exist.

What files are there in your kibana config/ directory?
Are you 100% sure that this file exists with exactly that name?

ograso · May 7, 2021, 11:37am

Hey TimV,

I have 3 files in it. I am looking at it.

elasticsearch-ca.pem
kibana-server.csr
kibana-server.key

Additionaly;
I used an absolute path rather than a relative path after this kind of problem for solving.

server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/config/kibana-server.csr
server.ssl.key: /etc/kibana/config/kibana-server.key

and Journal output has changed ;

FATAL  Error: error:0909006C:PEM routines:get_name:no start line

TimV · May 7, 2021, 1:57pm

Is that really a CSR (certificate signing request)? If so, it's not actually a certificate, and this setup isn't going to work.

ograso · May 7, 2021, 3:04pm

I didnt understand what you mean exactly?

let me explain What I did. and please tell me What I missed or did I wrong something?
But please don't tell me everything is wrong

generate a CA using "bin/elasticsearch-certutil ca" : [output: elastic-stack-ca.p12]

Generate private certificate using "bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12" :[Output: elastic-certificate.p12]

I added transport layer config set in elasticsearch.yml

used certificate tool to generate a CSR for encrypt HTTP client comm. for elastic ;(I didnt generate new CA. I used old one)

"bin/elasticsearch-certutil http" referred elastic-stack-ca.p12 as CA

enter validate period as 5y, generated 2 certificates for 2 nodes with node-name and IP addresses

unzip generated "elasticsearch-ssl-http.zip" file and exracted 2 files(http.p12, elasticsearch-ca.pem)

added 2 lines in elasticsearch.yml
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12

and also confgured Kibana to trust elasticsearch CA for the http layer
elasticsearch.ssl.certificateAuthorities: /etc/kibana/config/elasticsearch-ca.pem

last thing I did are as follow;

generated a server certificate and private key, using following line;
./bin/elasticsearch-certutil csr -name kibana-server

unzip generated "csr-bundle.zip" file and exracted 2 files (kibana-server.csr, kibana-server.key)

added 2 lines in kibana.yml
server.ssl.certificate: /etc/kibana/config/kibana-server.crt
server.ssl.key: /etc/kibana/config/kibana-server.key

and also added
server.ssl.enabled: true

system · June 4, 2021, 3:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.