Is localhost self-signed certificate eligible to make trust connection to external OIDC identity provider?


I managed to make localhost Kibana to be functioned in https environment.(The warning stated that it is not trusted).

However my localhost elasticsearch node is still in http environment. The elasticsearch console generate following error, when https localhost Kibana tried to SSO with the external Identity Provider.

Please bear with my skills, my first concern is that if localhost self-signed certificate(CN=localhost) even possible to build up trust connection from Kibana and Elasticsearch side?

Here are my settings:

1. elasticsearch.yml:
    xpack.license.self_generated.type: trial true false C:\Development\Elastic\Elasticsearch\config\certs\localhost2704.jks password

    server.ssl.enabled: true
    server.ssl.certificate: "certs/ca.crt"
    server.ssl.key: "certs/ca.key"
    elasticsearch.ssl.truststore.path: "C:/Development/Elastic/Elasticsearch/config/certs/localhost2704.jks"
    elasticsearch.ssl.truststore.password: "password"
  1. Error log from localhost Elastic console:

I generated the certificate with elasticsearch elasticsearch-certutil command.

Thanks for your time.

Warm regards,

Please don't post images of text as they are hard to read, may not display correctly for everyone, and are not searchable.

Instead, paste the text and format it with </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted before posting it. Also please share the entire configuration, you are asking about your openid connect integration but you dont share its configuration.

The more data you share the easier it makes it for folks that want to help you out. This also makes it more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this.

Also take a look at our docs, we explicitly describe what you are seeing and how you can fix it here:

Environment: Elasticsearch 7.7, Kibana 7.7


bootstrap.memory_lock: false elasticsearch20200521
http.port: 9200 true
node.ingest: true
node.master: true
node.max_local_storage_nodes: 1 TOPKT20200521 C:\khts\Elastic\Elasticsearch_7_7\elasticsearch-7.7.0\data
path.logs: C:\khts\Elastic\Elasticsearch_7_7\elasticsearch-7.7.0\logs
transport.tcp.port: 9300
xpack.license.self_generated.type: trial true true certificate certs/elastic-stack-ca/ca/ca.key certs/elastic-stack-ca/ca/ca.crt ["certs/elastic-stack-ca/ca/ca.crt"] true certificate certs/elastic-stack-ca/ca/ca.key certs/elastic-stack-ca/ca/ca.crt ["certs/elastic-stack-ca/ca/ca.crt"] true
 order: 0
 order: 1
  order: 2
  rp.client_id: "kibanagidp"
  rp.response_type: code
  rp.redirect_uri: "https://localhost:5601/api/security/oidc/callback"
  rp.post_logout_redirect_uri: "https://localhost:5601/logged_out"
  rp.requested_scopes: "openid profile email"
  op.issuer: "https://localhost:44400"
  op.authorization_endpoint: "https://localhost:44400/connect/authorize"
  op.token_endpoint: "https://localhost:44400/connect/token"
  op.jwkset_path: oidc/jwkset.json
  op.userinfo_endpoint: "https://localhost:44400/connect/userinfo"
  op.endsession_endpoint: "https://localhost:44400/connect/endsession"
  claims.principal: preferred_username 
  claims.mail: email
  claims.groups: profile
  http.socket_timeout: 30s
  ssl.key: certs/elastic-stack-ca/ca/ca.key
  ssl.certificate: certs/elastic-stack-ca/ca/ca.crt
  ssl.verification_mode: none
  ssl.certificate_authorities: ["certs/elastic-stack-ca/ca/ca.crt","certs/gidp.pfx","certs/serviceprovider.pfx","certs/token.pfx"]


elasticsearch.hosts: ["https://localhost:9200"] "localhost"
elasticsearch.username: "elastic"
elasticsearch.password: "password" [oidc, basic] "kibana-gidp" "any_arbitrary_string_that_is_at_least_32_characters_long"
server.xsrf.whitelist: [/api/security/oidc/callback]

server.ssl.enabled: true
server.ssl.certificate: "certs/ca.crt"
server.ssl.key: "certs/ca.key"
elasticsearch.ssl.verificationMode: none
elasticsearch.ssl.certificateAuthorities: C:/khts/Elastic/Elasticsearch_7_7/elasticsearch-7.7.0/config/certs/elastic-stack-ca/ca/ca.crt

In 7.6(Elasticsearch and Kibana) version
When I put verficationMode to certificate in (elasticsearch.yml) , it produces the similar error that contains "PKIX path building failed: unable to find valid certification path to requested target."

When I put verificationMode to none in (elasticsearch.yml) , it doesn't show any error in elasticsearch-console, but Kibana showed "Elastic Kibana did not load properly. Check the server output for more information" However in 7.6, I still can access to Kibana, if I refreshed page to another page few times.

In 7.7 Kibana, it just showed the same error "Elastic Kibana did not load properly. Check the server output for more information". Any refresh to another won't help this time.

With my lastest development, I would like to know how to fix this, so it will works with the configuration setting verificationMode to "none" and verficationMode to "certificate" in 7.7 locahost environment, thanks.

Thanks anyone that has spent time on here.

Warm regards,

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.