Is localhost self-signed certificate eligible to make trust connection to external OIDC identity provider?

KTH · May 4, 2020, 3:51pm

Hi,

I managed to make localhost Kibana to be functioned in https environment.(The warning stated that it is not trusted).

However my localhost elasticsearch node is still in http environment. The elasticsearch console generate following error, when https localhost Kibana tried to SSO with the external Identity Provider.

Please bear with my skills, my first concern is that if localhost self-signed certificate(CN=localhost) even possible to build up trust connection from Kibana and Elasticsearch side?

Here are my settings:

1. elasticsearch.yml:
-----
   
    xpack.license.self_generated.type: trial
    xpack.security.enabled: true
    xpack.security.http.ssl.enabled: false
    xpack.security.http.ssl.truststore.path: C:\Development\Elastic\Elasticsearch\config\certs\localhost2704.jks
    xpack.security.http.ssl.truststore.password: password
-----
2.Kibana.yml:
-----

    server.ssl.enabled: true
    server.ssl.certificate: "certs/ca.crt"
    server.ssl.key: "certs/ca.key"
    elasticsearch.ssl.truststore.path: "C:/Development/Elastic/Elasticsearch/config/certs/localhost2704.jks"
    elasticsearch.ssl.truststore.password: "password"
-----

Error log from localhost Elastic console:

image3730×1358 2.19 MB

I generated the certificate with elasticsearch elasticsearch-certutil command.

Thanks for your time.

Warm regards,
KTH

ikakavas · May 4, 2020, 8:10pm

Please don't post images of text as they are hard to read, may not display correctly for everyone, and are not searchable.

Instead, paste the text and format it with </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted before posting it. Also please share the entire configuration, you are asking about your openid connect integration but you dont share its configuration.

The more data you share the easier it makes it for folks that want to help you out. This also makes it more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this.

ikakavas · May 5, 2020, 12:44pm

Also take a look at our docs, we explicitly describe what you are seeing and how you can fix it here: https://www.elastic.co/guide/en/elasticsearch/reference/current/oidc-guide-authentication.html#oidc-ssl-config

KTH · May 25, 2020, 2:55pm

Environment: Elasticsearch 7.7, Kibana 7.7

elasticsearch.yml:

bootstrap.memory_lock: false
cluster.name: elasticsearch20200521
http.port: 9200
node.data: true
node.ingest: true
node.master: true
node.max_local_storage_nodes: 1
node.name: TOPKT20200521
path.data: C:\khts\Elastic\Elasticsearch_7_7\elasticsearch-7.7.0\data
path.logs: C:\khts\Elastic\Elasticsearch_7_7\elasticsearch-7.7.0\logs
transport.tcp.port: 9300
xpack.license.self_generated.type: trial

xpack.security.enabled: true
xpack.security.http.ssl.enabled: true  
xpack.security.http.ssl.verification_mode: certificate

xpack.security.http.ssl.key: certs/elastic-stack-ca/ca/ca.key
xpack.security.http.ssl.certificate: certs/elastic-stack-ca/ca/ca.crt
xpack.security.http.ssl.certificate_authorities: ["certs/elastic-stack-ca/ca/ca.crt"]


xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: certs/elastic-stack-ca/ca/ca.key
xpack.security.transport.ssl.certificate: certs/elastic-stack-ca/ca/ca.crt
xpack.security.transport.ssl.certificate_authorities: ["certs/elastic-stack-ca/ca/ca.crt"]

xpack.security.authc.token.enabled: true
xpack.security.authc.realms.file.file:
 order: 0
xpack.security.authc.realms.native.native:
 order: 1
xpack.security.authc.realms.oidc.kibana-gidp:
  order: 2
  rp.client_id: "kibanagidp"
  rp.response_type: code
  rp.redirect_uri: "https://localhost:5601/api/security/oidc/callback"
  rp.post_logout_redirect_uri: "https://localhost:5601/logged_out"
  rp.requested_scopes: "openid profile email"
  op.issuer: "https://localhost:44400"
  op.authorization_endpoint: "https://localhost:44400/connect/authorize"
  op.token_endpoint: "https://localhost:44400/connect/token"
  op.jwkset_path: oidc/jwkset.json
  op.userinfo_endpoint: "https://localhost:44400/connect/userinfo"
  op.endsession_endpoint: "https://localhost:44400/connect/endsession"
  claims.principal: preferred_username 
  claims.mail: email
  claims.groups: profile
  http.socket_timeout: 30s
  ssl.key: certs/elastic-stack-ca/ca/ca.key
  ssl.certificate: certs/elastic-stack-ca/ca/ca.crt
  ssl.verification_mode: none
  ssl.certificate_authorities: ["certs/elastic-stack-ca/ca/ca.crt","certs/gidp.pfx","certs/serviceprovider.pfx","certs/token.pfx"]

kibana.yml:

elasticsearch.hosts: ["https://localhost:9200"]

server.host: "localhost"
elasticsearch.username: "elastic"
elasticsearch.password: "password"

xpack.security.authProviders: [oidc, basic]
xpack.security.authc.oidc.realm: "kibana-gidp"
xpack.security.encryptionKey: "any_arbitrary_string_that_is_at_least_32_characters_long"
server.xsrf.whitelist: [/api/security/oidc/callback]

server.ssl.enabled: true
server.ssl.certificate: "certs/ca.crt"
server.ssl.key: "certs/ca.key"
elasticsearch.ssl.verificationMode: none
elasticsearch.ssl.certificateAuthorities: C:/khts/Elastic/Elasticsearch_7_7/elasticsearch-7.7.0/config/certs/elastic-stack-ca/ca/ca.crt

In 7.6(Elasticsearch and Kibana) version
When I put verficationMode to certificate in xpack.security.authc.realms.oidc.kibana-gidp: (elasticsearch.yml) , it produces the similar error that contains "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target."

When I put verificationMode to none in xpack.security.authc.realms.oidc.kibana-gidp: (elasticsearch.yml) , it doesn't show any error in elasticsearch-console, but Kibana showed "Elastic Kibana did not load properly. Check the server output for more information" However in 7.6, I still can access to Kibana, if I refreshed page to another page few times.

In 7.7 Kibana, it just showed the same error "Elastic Kibana did not load properly. Check the server output for more information". Any refresh to another won't help this time.

With my lastest development, I would like to know how to fix this, so it will works with the configuration setting verificationMode to "none" and verficationMode to "certificate" in 7.7 locahost environment, thanks.

Thanks anyone that has spent time on here.

Warm regards,
K

system · June 22, 2020, 2:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.