How to enable SSL (https) for Kibana?

Hello,

I just installed ES node and Kibana (latest, 7.6 version) and trying to enable SSL for Kibana.

Could anybody advise me on how I can do it?

I used this command to generate certificates:

bin/elasticsearch-certutil http

After unpacking zip file I got elasticsearch and kibana dirs. And I have these files in elasticsearch dir:

README.txt  
my-domain.csr  
my-domain.key  
sample-elasticsearch.yml

How I can get crt file instead of csr?

Hi @TheVintik,

Here is our documentation to for Kibana TLS:
https://www.elastic.co/guide/en/kibana/current/configuring-tls.html

To generate crt file you can do the following:

./bin/elasticsearch-certutil ca --pem

Thanks!
Liza

Thank you for response, @Liza_Dayoub ! I generated keys with ./bin/elasticsearch-certutil ca --pem and update my kibana.yml config file with:

server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/ca.crt
server.ssl.key: /etc/kibana/certs/ca.key

After Kibana restart I got these logs:

{"type":"log","@timestamp":"2020-03-18T18:24:09Z","tags":["listening","info"],"pid":29080,"message":"Server running at https://MY-IP:5601"}

{"type":"log","@timestamp":"2020-03-18T18:24:09Z","tags":["info","http","server","Kibana"],"pid":29080,"message":"http server running at https://MY-IP:5601"}

But when I try to open Kibana in browser https://MY-IP:5601 I got a lot of these errors:

{"type":"error","@timestamp":"2020-03-18T18:25:30Z","tags":["connection","client","error"],"pid":29080,"level":"error","error":{"message":"140293902256000:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 48\n","name":"Error","stack":"Error: 140293902256000:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 48\n"},"message":"140293902256000:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 48\n"}

Hi @TheVintik,

I believe these messages are expected if it is a self signed certificate, due to the client not trusting the certificate and Kibana ignore the certificate errors.

However let me ping our security expert @Larry_Gregory to comment further.

Thanks!
Liza

@TheVintik if you run the command with the cert option, it will generate a certificate as opposed to a CSR:

bin/elasticsearch-certutil http cert

It looks like you're trying to specify the certificate authority ("CA") as the kibana server certificate, which is not something you'd want to do.

1 Like

Thank you for response @Larry_Gregory

Could you please advice me - how I should generate crt and key for Kibana?
Should I run bin/elasticsearch-certutil http (without cert option)?

By the way, I got these files after running bin/elasticsearch-certutil http:

Generate a CSR? [y/N]
Use an existing CA? [y/N]
...

Archive:  /usr/share/elasticsearch/elasticsearch-ssl-http.zip
creating: elasticsearch/
inflating: elasticsearch/README.txt  
inflating: elasticsearch/http.p12  
inflating: elasticsearch/sample-elasticsearch.yml  
creating: ca/
inflating: ca/README.txt           
inflating: ca/ca.p12               
creating: kibana/
inflating: kibana/README.txt       
inflating: kibana/elasticsearch-ca.pem  
inflating: kibana/sample-kibana.yml

But looks like there are no key and cert files for Kibana`s config.

I would appreciate you with an example of how to generate crt and key.

Hi @TheVintik,

For production you will need to follow below guide and have the certificates signed by a CA:

https://www.elastic.co/guide/en/kibana/current/configuring-tls.html

For local non-production setup, you can do the following:

./bin/elasticsearch-certutil cert -name <name> -dns <dns> 

Then kibana.yml you can add the following:

server.ssl.keystore.path: <name>.p12
server.ssl.keystore.password: ""

Then follow instructions to add the certificate as trusted for your browser and those errors will go away.

Let me know if this helps.

Adding another one of security experts @jportner for more info.

Thanks Joe for helping me understand it better.

@TheVintik hope this helps! Let us know.

I found an error from my side.

When I worked on Kibana configuration, I was not sure about two things"

  • does Kibana configured property?
  • does my firewall configured property?

For except firewall issue I decided to use linux console web browser to check - does Kibana web page open or not. It worked well for HTTP protocol, but there were errors, described above when I tried to use HTTPS.

But, then I checked firewall rules again and fix it, my web browser opened Kibana fine.

So, it was linux console web browser issue. And, looks like all described above methods for SSL keys generate are good.

Thank you all for your help and time!

1 Like