How to create security certificate pem for elasticsearch an kibana

I am trying to intall the helm chart of elasticsearch and kibana but in the security configuration I need to have :
certificateAuthorities: /usr/share/kibana/config/certs/elastic-certificate.pem

  key: /usr/share/kibana/config/certs/kibana/kibana.key
  certificate: /usr/share/kibana/config/certs/kibana/kibana.crt

can any one tell me how to create those file using the elasticsearch certutil.

You can use Open SSL or CertUtil for that

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

or

https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html

so the cert.pem is the elastic-certificate.pem ?

and what about kibana.key and kibana.crt how could I create them ?

sorry I am really not a security expert and I don't undrstand much in certificates, I have already vidited the website but I didn't really understand how to use tje certutil because it gives a zip file containint the key and certificate is the certificate generated in that zip what I should copy in the path or there is another command I should run before that.

thank you for your help sir.

There is a few ways to do this. I like a simple approach, if you are just trying to do SSL/TLS on Elastic and Kibana then do the following

The following commands will get you the certs for Elastic. Make sure the cert is in the right folder /etc/elasticsearch and has the correct permissions. I am not sure if 644 is the right one it it can be made tighter but I left it at that
/usr/share/elasticsearch/bin/elasticsearch-certutil ca
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
chmod 644 elastic-certificates.p12

Then your ElasticSearch.yml should look like this

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12

Then you run that OpenSSL Command inside /etc/kibana and you will get a key/cert file. Then put these settings in your kibana file

server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/cert.pem
server.ssl.key: /etc/kibana/key.pem
server.ssl.keyPassphrase: xxxxxxx

Make sure you put this in the kibana.yml if you have self signed certs
elasticsearch.ssl.verificationMode: none

Now if you have enabled authentication you can autogen the passwords using this command and use them in the kibana file

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto

Thats it!

I have already created the p12 certificates for the elasticsearch and it's working .

I am using the helm chart so I don't need to do the changes in kiabana.yml the changes are provided by the values file of the chart in the values it's mentioned that I need kibana.key and kibana.crt and elastic-certificate.pem to be in the right path so now I understand how to create kibana.crt and kibana.key I will look for the right command to use thanks to you .

but what I don't undertand is the elastic-certificate.pem is it enough to just use the command you fave me in the firt reply and the cert.pem is equal to elastic-certificate.pem ?

in fact I did what you mentioned but I am getting this error :

FATAL Error: error:0906D06C:PEM routines:PEM_read_bio:no start line

this is the entire error I am having :

Error: error:0906D06C:PEM routines:PEM_read_bio:no start line at Object.createSecureContext (_tls_common.js:113:17) at Server (_tls_wrap.js:870:27) at new Server (https.js:62:14) at Object.createServer (https.js:85:10) at module.exports.internals.Core._createListener (/usr/share/kibana/node_modules/hapi/lib/core.js:491:79) at new module.exports.internals.Core (/usr/share/kibana/node_modules/hapi/lib/core.js:112:30) at new module.exports (/usr/share/kibana/node_modules/hapi/lib/server.js:25:18) at createServer (/usr/share/kibana/src/core/server/http/http_tools.js:90:18) at HttpServer.setup (/usr/share/kibana/src/core/server/http/http_server.js:69:48) at HttpService.setup (/usr/share/kibana/src/core/server/http/http_service.js:48:28)

can you do a ls -l on your pem cert? It looks like its 0 bytes

Also I am not a helm user or expert.

I found that kibana doesn't read the p12 certificate and I really don't understand where is the issue

I dont use P12 for Kibana at all. Can you post your configs here and perhaps a listing of /etc/elasticsearch and /etc/kibana take out any sensitive information

this is the configuration passed to kibana :
---

elasticsearchHosts: "https://security-master:9200"

extraEnvs:
  - name: 'ELASTICSEARCH_USERNAME'
    valueFrom:
      secretKeyRef:
        name: elastic-credentials
        key: username
  - name: 'ELASTICSEARCH_PASSWORD'
    valueFrom:
      secretKeyRef:
        name: elastic-credentials
        key: password

kibanaConfig:
  kibana.yml: |
    server.ssl:
      enabled: true
      key: /usr/share/kibana/config/certs/kibana/kibana.key
      certificate: /usr/share/kibana/config/certs/kibana/kibana.crt
    xpack.security.encryptionKey: something_at_least_32_characters
    elasticsearch.ssl:
      certificateAuthorities: /usr/share/kibana/config/certs/elastic-certificate.pem
      verificationMode: certificate
protocol: https

secretMounts:
  - name: elastic-certificate-pem
    secretName: elastic-certificate-pem
    path: /usr/share/kibana/config/certs
  - name: kibana-certificates
    secretName: kibana-certificates
path: /usr/share/kibana/config/certs/kibana

This is the configuration passed to elasticsearch :

---
clusterName: "security"
nodeGroup: "master"

roles:
  master: "true"
  ingest: "true"
  data: "true"

protocol: https

esConfig:
  elasticsearch.yml: |
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
extraEnvs:
  - name: ELASTIC_PASSWORD
    valueFrom:
      secretKeyRef:
        name: elastic-credentials
        key: password
  - name: ELASTIC_USERNAME
    valueFrom:
      secretKeyRef:
        name: elastic-credentials
        key: username

secretMounts:
  - name: elastic-certificates
    secretName: elastic-certificates
path: /usr/share/elasticsearch/config/certs

I created the .p12 and it's working elasticsearch was set up without problem .

then for the .pem I created it using the openssl and also kibana.crt and kibana.key also using the openssl as well and I copied them into the path mentioned so ther is no problem with the ath or the files.

I also executed this commands :

kubectl create secret generic elastic-credentials --from-literal=password=changeme --from-literal=username=elastic
kubectl create secret generic elastic-certificates --from-file=elastic-certificates.p12
kubectl create secret generic elastic-certificate-pem --from-file=elastic-certificate.pem

I don't know where is the problem since everything is set, I think probably with creation of the pem still don't know what exactly is hapening there

That error is saying that your pem file may be 0 length. Can you check that? Also what version of Elastic are you using?

Also in the following

kibanaConfig:
kibana.yml: |
server.ssl:
enabled: true
key: /usr/share/kibana/config/certs/kibana/kibana.key
certificate: /usr/share/kibana/config/certs/kibana/kibana.crt
xpack.security.encryptionKey: something_at_least_32_characters
elasticsearch.ssl:
certificateAuthorities: /usr/share/kibana/config/certs/elastic-certificate.pem
verificationMode: certificate
protocol: https

if your cert was self signed you may want to turn off verification mode. Also is this cert (elastic-certificate.pem) present as well?

That is the result of : ls -l elastic-certificate.pem

-rw-r--r-- 1 mouna mouna 0 Jul 7 23:26 elastic-certificate.pem

yes I have created the elastic-certificate.pem and put it into /usr/share/kibana/config/certs/elastic-certificate.pem

I recreate the pem file and that's the result

-rw-r--r-- 1 mouna mouna 2102 Jul 8 00:51 elastic-certificate.pem

but once I upgrade the kibana chart I get this :

Release "helm-kibana-security" does not exist. Installing it now.
Error: release helm-kibana-security failed: timed out waiting for the condition
Makefile:7: recipe for target 'install' failed
make: *** [install] Error 1

Ok so your cert was 0kb and then you fixed it. The next error seems to be with helm which I have no experience with. But now your elastic and kibana is setup right

I fixed the error but the same error stil on the kibana log :

Error: error:0906D06C:PEM routines:PEM_read_bio:no start line at Object.createSecureContext (_tls_common.js:113:17) at Server (_tls_wrap.js:870:27) at new Server (https.js:62:14) at Object.createServer (https.js:85:10) at module.exports.internals.Core._createListener (/usr/share/kibana/node_modules/hapi/lib/core.js:491:79) at new module.exports.internals.Core (/usr/share/kibana/node_modules/hapi/lib/core.js:112:30) at new module.exports (/usr/share/kibana/node_modules/hapi/lib/server.js:25:18) at createServer (/usr/share/kibana/src/core/server/http/http_tools.js:90:18) at HttpServer.setup (/usr/share/kibana/src/core/server/http/http_server.js:69:48) at HttpService.setup (/usr/share/kibana/src/core/server/http/http_service.js:48:28)

nothig is fixed