I am trying to intall the helm chart of elasticsearch and kibana but in the security configuration I need to have :
certificateAuthorities: /usr/share/kibana/config/certs/elastic-certificate.pem
key: /usr/share/kibana/config/certs/kibana/kibana.key
certificate: /usr/share/kibana/config/certs/kibana/kibana.crt
can any one tell me how to create those file using the elasticsearch certutil.
You can use Open SSL or CertUtil for that
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
or
https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html
so the cert.pem is the elastic-certificate.pem ?
and what about kibana.key and kibana.crt how could I create them ?
sorry I am really not a security expert and I don't undrstand much in certificates, I have already vidited the website but I didn't really understand how to use tje certutil because it gives a zip file containint the key and certificate is the certificate generated in that zip what I should copy in the path or there is another command I should run before that.
thank you for your help sir.
There is a few ways to do this. I like a simple approach, if you are just trying to do SSL/TLS on Elastic and Kibana then do the following
The following commands will get you the certs for Elastic. Make sure the cert is in the right folder /etc/elasticsearch and has the correct permissions. I am not sure if 644 is the right one it it can be made tighter but I left it at that
/usr/share/elasticsearch/bin/elasticsearch-certutil ca
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
chmod 644 elastic-certificates.p12
Then your ElasticSearch.yml should look like this
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12
Then you run that OpenSSL Command inside /etc/kibana and you will get a key/cert file. Then put these settings in your kibana file
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/cert.pem
server.ssl.key: /etc/kibana/key.pem
server.ssl.keyPassphrase: xxxxxxx
Make sure you put this in the kibana.yml if you have self signed certs
elasticsearch.ssl.verificationMode: none
Now if you have enabled authentication you can autogen the passwords using this command and use them in the kibana file
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
Thats it!
I have already created the p12 certificates for the elasticsearch and it's working .
I am using the helm chart so I don't need to do the changes in kiabana.yml the changes are provided by the values file of the chart in the values it's mentioned that I need kibana.key and kibana.crt and elastic-certificate.pem to be in the right path so now I understand how to create kibana.crt and kibana.key I will look for the right command to use thanks to you .
but what I don't undertand is the elastic-certificate.pem is it enough to just use the command you fave me in the firt reply and the cert.pem is equal to elastic-certificate.pem ?
in fact I did what you mentioned but I am getting this error :
FATAL Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
this is the entire error I am having :
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line at Object.createSecureContext (_tls_common.js:113:17) at Server (_tls_wrap.js:870:27) at new Server (https.js:62:14) at Object.createServer (https.js:85:10) at module.exports.internals.Core._createListener (/usr/share/kibana/node_modules/hapi/lib/core.js:491:79) at new module.exports.internals.Core (/usr/share/kibana/node_modules/hapi/lib/core.js:112:30) at new module.exports (/usr/share/kibana/node_modules/hapi/lib/server.js:25:18) at createServer (/usr/share/kibana/src/core/server/http/http_tools.js:90:18) at HttpServer.setup (/usr/share/kibana/src/core/server/http/http_server.js:69:48) at HttpService.setup (/usr/share/kibana/src/core/server/http/http_service.js:48:28)
can you do a ls -l on your pem cert? It looks like its 0 bytes
Also I am not a helm user or expert.
I found that kibana doesn't read the p12 certificate and I really don't understand where is the issue
I dont use P12 for Kibana at all. Can you post your configs here and perhaps a listing of /etc/elasticsearch and /etc/kibana take out any sensitive information
this is the configuration passed to kibana :
---
elasticsearchHosts: "https://security-master:9200"
extraEnvs:
- name: 'ELASTICSEARCH_USERNAME'
valueFrom:
secretKeyRef:
name: elastic-credentials
key: username
- name: 'ELASTICSEARCH_PASSWORD'
valueFrom:
secretKeyRef:
name: elastic-credentials
key: password
kibanaConfig:
kibana.yml: |
server.ssl:
enabled: true
key: /usr/share/kibana/config/certs/kibana/kibana.key
certificate: /usr/share/kibana/config/certs/kibana/kibana.crt
xpack.security.encryptionKey: something_at_least_32_characters
elasticsearch.ssl:
certificateAuthorities: /usr/share/kibana/config/certs/elastic-certificate.pem
verificationMode: certificate
protocol: https
secretMounts:
- name: elastic-certificate-pem
secretName: elastic-certificate-pem
path: /usr/share/kibana/config/certs
- name: kibana-certificates
secretName: kibana-certificates
path: /usr/share/kibana/config/certs/kibana
This is the configuration passed to elasticsearch :
---
clusterName: "security"
nodeGroup: "master"
roles:
master: "true"
ingest: "true"
data: "true"
protocol: https
esConfig:
elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
extraEnvs:
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: elastic-credentials
key: password
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: elastic-credentials
key: username
secretMounts:
- name: elastic-certificates
secretName: elastic-certificates
path: /usr/share/elasticsearch/config/certs
I created the .p12 and it's working elasticsearch was set up without problem .
then for the .pem I created it using the openssl and also kibana.crt and kibana.key also using the openssl as well and I copied them into the path mentioned so ther is no problem with the ath or the files.
I also executed this commands :
kubectl create secret generic elastic-credentials --from-literal=password=changeme --from-literal=username=elastic
kubectl create secret generic elastic-certificates --from-file=elastic-certificates.p12
kubectl create secret generic elastic-certificate-pem --from-file=elastic-certificate.pem
I don't know where is the problem since everything is set, I think probably with creation of the pem still don't know what exactly is hapening there
That error is saying that your pem file may be 0 length. Can you check that? Also what version of Elastic are you using?
Also in the following
kibanaConfig:
kibana.yml: |
server.ssl:
enabled: true
key: /usr/share/kibana/config/certs/kibana/kibana.key
certificate: /usr/share/kibana/config/certs/kibana/kibana.crt
xpack.security.encryptionKey: something_at_least_32_characters
elasticsearch.ssl:
certificateAuthorities: /usr/share/kibana/config/certs/elastic-certificate.pem
verificationMode: certificate
protocol: https
if your cert was self signed you may want to turn off verification mode. Also is this cert (elastic-certificate.pem) present as well?
That is the result of : ls -l elastic-certificate.pem
-rw-r--r-- 1 mouna mouna 0 Jul 7 23:26 elastic-certificate.pem
yes I have created the elastic-certificate.pem and put it into /usr/share/kibana/config/certs/elastic-certificate.pem
I recreate the pem file and that's the result
-rw-r--r-- 1 mouna mouna 2102 Jul 8 00:51 elastic-certificate.pem
but once I upgrade the kibana chart I get this :
Release "helm-kibana-security" does not exist. Installing it now.
Error: release helm-kibana-security failed: timed out waiting for the condition
Makefile:7: recipe for target 'install' failed
make: *** [install] Error 1
Ok so your cert was 0kb and then you fixed it. The next error seems to be with helm which I have no experience with. But now your elastic and kibana is setup right
I fixed the error but the same error stil on the kibana log :
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line at Object.createSecureContext (_tls_common.js:113:17) at Server (_tls_wrap.js:870:27) at new Server (https.js:62:14) at Object.createServer (https.js:85:10) at module.exports.internals.Core._createListener (/usr/share/kibana/node_modules/hapi/lib/core.js:491:79) at new module.exports.internals.Core (/usr/share/kibana/node_modules/hapi/lib/core.js:112:30) at new module.exports (/usr/share/kibana/node_modules/hapi/lib/server.js:25:18) at createServer (/usr/share/kibana/src/core/server/http/http_tools.js:90:18) at HttpServer.setup (/usr/share/kibana/src/core/server/http/http_server.js:69:48) at HttpService.setup (/usr/share/kibana/src/core/server/http/http_service.js:48:28)
nothig is fixed