Hello,
I just installed ES node and Kibana (latest, 7.6 version) and trying to enable SSL for Kibana.
Could anybody advise me on how I can do it?
I used this command to generate certificates:
bin/elasticsearch-certutil http
After unpacking zip file I got elasticsearch and kibana dirs. And I have these files in elasticsearch dir:
README.txt
my-domain.csr
my-domain.key
sample-elasticsearch.yml
How I can get crt file instead of csr?
Hi @TheVintik,
Here is our documentation to for Kibana TLS:
https://www.elastic.co/guide/en/kibana/current/configuring-tls.html
To generate crt file you can do the following:
./bin/elasticsearch-certutil ca --pem
Thanks!
Liza
Thank you for response, @Liza_Dayoub ! I generated keys with ./bin/elasticsearch-certutil ca --pem and update my kibana.yml config file with:
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/ca.crt
server.ssl.key: /etc/kibana/certs/ca.key
After Kibana restart I got these logs:
{"type":"log","@timestamp":"2020-03-18T18:24:09Z","tags":["listening","info"],"pid":29080,"message":"Server running at https://MY-IP:5601"}
{"type":"log","@timestamp":"2020-03-18T18:24:09Z","tags":["info","http","server","Kibana"],"pid":29080,"message":"http server running at https://MY-IP:5601"}
But when I try to open Kibana in browser https://MY-IP:5601 I got a lot of these errors:
{"type":"error","@timestamp":"2020-03-18T18:25:30Z","tags":["connection","client","error"],"pid":29080,"level":"error","error":{"message":"140293902256000:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 48\n","name":"Error","stack":"Error: 140293902256000:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 48\n"},"message":"140293902256000:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 48\n"}
Hi @TheVintik,
I believe these messages are expected if it is a self signed certificate, due to the client not trusting the certificate and Kibana ignore the certificate errors.
However let me ping our security expert @Larry_Gregory to comment further.
Thanks!
Liza
@TheVintik if you run the command with the cert option, it will generate a certificate as opposed to a CSR:
bin/elasticsearch-certutil http cert
It looks like you're trying to specify the certificate authority ("CA") as the kibana server certificate, which is not something you'd want to do.
Thank you for response @Larry_Gregory
Could you please advice me - how I should generate crt and key for Kibana?
Should I run bin/elasticsearch-certutil http (without cert option)?
By the way, I got these files after running bin/elasticsearch-certutil http:
Generate a CSR? [y/N]
Use an existing CA? [y/N]
...
Archive: /usr/share/elasticsearch/elasticsearch-ssl-http.zip
creating: elasticsearch/
inflating: elasticsearch/README.txt
inflating: elasticsearch/http.p12
inflating: elasticsearch/sample-elasticsearch.yml
creating: ca/
inflating: ca/README.txt
inflating: ca/ca.p12
creating: kibana/
inflating: kibana/README.txt
inflating: kibana/elasticsearch-ca.pem
inflating: kibana/sample-kibana.yml
But looks like there are no key and cert files for Kibana`s config.
I would appreciate you with an example of how to generate crt and key.
Hi @TheVintik,
For production you will need to follow below guide and have the certificates signed by a CA:
https://www.elastic.co/guide/en/kibana/current/configuring-tls.html
For local non-production setup, you can do the following:
./bin/elasticsearch-certutil cert -name <name> -dns <dns>
Then kibana.yml you can add the following:
server.ssl.keystore.path: <name>.p12
server.ssl.keystore.password: ""
Then follow instructions to add the certificate as trusted for your browser and those errors will go away.
Let me know if this helps.
Adding another one of security experts @jportner for more info.
Thanks Joe for helping me understand it better.
@TheVintik hope this helps! Let us know.
I found an error from my side.
When I worked on Kibana configuration, I was not sure about two things"
For except firewall issue I decided to use linux console web browser to check - does Kibana web page open or not. It worked well for HTTP protocol, but there were errors, described above when I tried to use HTTPS.
But, then I checked firewall rules again and fix it, my web browser opened Kibana fine.
So, it was linux console web browser issue. And, looks like all described above methods for SSL keys generate are good.
Thank you all for your help and time!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.