Issue with SSL

arcsons · February 17, 2025, 7:09pm

Hello,

I'm encountering problems while configuring SSL certificates for HTTPS. I've attempted the setup, but I've run into some issues.

I have configuration files, status reports, and logs available that I believe are relevant to the problem. I would appreciate assistance in resolving these issues.

kibana.yml:
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/elastic_client_cert.pem
server.ssl.key: /etc/kibana/certs/elastic_client_cert.key
server.ssl.certificateAuthorities: [ "/etc/kibana/certs/elastic_ca_cert.pem" ]

sudo chmod 600 /etc/kibana/certs/elastic_client_cert.key
sudo chmod 600 /etc/kibana/certs/elastic_client_cert.pem
sudo chmod 644 /etc/kibana/certs/elasticsearch-ca.pem

sudo chown kibana:kibana /etc/kibana/certs/elasticsearch-ca.pem
sudo chown kibana:kibana /etc/kibana/certs/elastic_client_cert.key
sudo chown kibana:kibana /etc/kibana/certs/elastic_client_cert.pem

sudo systemctl status kibana

Feb 17 19:49:15 test.local systemd[1]: kibana.service: Scheduled restart job, restart counter is at 2.
Feb 17 19:49:15 test.local systemd[1]: Started kibana.service - Kibana.
Feb 17 19:49:15 test.local kibana[2359845]: Kibana is currently running with legacy OpenSSL providers enabled! For details and instructions on how to disable see Use Kibana in a production environment | Kibana Guide [8.15] | Elastic>
Feb 17 19:49:15 test.local kibana[2359845]: {"log.level":"info","@timestamp":"2025-02-17T18:49:15.874Z","log.logger":"elastic-apm-node","ecs.version":"8.10.0","agentVersion":"4.7.0","env":{"pid":2359845,"proctitle":"/usr/sh>
Feb 17 19:49:15 test.local kibana[2359845]: Native global console methods have been overridden in production environment.

$ sudo systemctl status kibana
× kibana.service - Kibana
Loaded: loaded (/usr/lib/systemd/system/kibana.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Mon 2025-02-17 19:49:24 CET; 1min 35s ago
Duration: 5.804s
Docs: https://www.elastic.co
Process: 2359845 ExecStart=/usr/share/kibana/bin/kibana (code=exited, status=1/FAILURE)
Main PID: 2359845 (code=exited, status=1/FAILURE)
CPU: 7.032s

Feb 17 19:49:24 test.local systemd[1]: kibana.service: Scheduled restart job, restart counter is at 3.
Feb 17 19:49:24 test.local systemd[1]: kibana.service: Start request repeated too quickly.
Feb 17 19:49:24 test.local systemd[1]: kibana.service: Failed with result 'exit-code'.
Feb 17 19:49:24 test.local systemd[1]: Failed to start kibana.service - Kibana.
Feb 17 19:49:24 test.local systemd[1]: kibana.service: Consumed 7.032s CPU time, 253.7M memory peak, 0B memory swap peak.

kibana.log:

{"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.11.0"},"@timestamp":"2025-02-17T20:02:30.848+01:00","message":"Reason: error:1C800064:Provider routines::bad decrypt\nError: error:1C800064:Provider routines::bad decrypt\n at setKey (node:internal/tls/secure-context:93:11)\n at configSecureContext (node:internal/tls/secure-context:204:7)\n at Object.createSecureContext (node:_tls_common:116:3)\n at Server.setSecureContext (node:_tls_wrap:1486:27)\n at Server (node:_tls_wrap:1350:8)\n at new Server (node:https:75:3)\n at Object.createServer (node:https:133:10)\n at configureHttp1Listener (/usr/share/kibana/node_modules/@kbn/server-http-tools/src/get_listener.js:29:44)\n at getServerListener (/usr/share/kibana/node_modules/@kbn/server-http-tools/src/get_listener.js:22:63)\n at getServerOptions (/usr/share/kibana/node_modules/@kbn/server-http-tools/src/get_server_options.js:35:51)\n at HttpServer.setup (/usr/share/kibana/node_modules/@kbn/core-http-server-internal/src/http_server.js:142:65)\n at HttpService.preboot (/usr/share/kibana/node_modules/@kbn/core-http-server-internal/src/http_service.js:62:26)\n at Server.preboot (/usr/share/kibana/node_modules/@kbn/core-root-server-internal/src/server.js:194:27)\n at Root.preboot (/usr/share/kibana/node_modules/@kbn/core-root-server-internal/src/root/index.js:47:14)\n at bootstrap (/usr/share/kibana/node_modules/@kbn/core-root-server-internal/src/bootstrap.js:95:29)\n at Command. (/usr/share/kibana/src/cli/serve/serve.js:233:5)","log":{"level":"FATAL","logger":"root"},"process":{"pid":2360395,"uptime":5.873129091},"trace":{"id":"5fa606ca0c272c04ce1e70803f6d230c"},"transaction":{"id":"3c299e6de33a4596"}}
{"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.11.0"},"@timestamp":"2025-02-17T20:02:39.933+01:00","message":"Reason: error:1C800064:Provider routines::bad decrypt\nError: error:1C800064:Provider routines::bad decrypt\n at setKey (node:internal/tls/secure-context:93:11)\n at configSecureContext (node:internal/tls/secure-context:204:7)\n at Object.createSecureContext (node:_tls_common:116:3)\n at Server.setSecureContext (node:_tls_wrap:1486:27)\n at Server (node:_tls_wrap:1350:8)\n at new Server (node:https:75:3)\n at Object.createServer (node:https:133:10)\n at configureHttp1Listener (/usr/share/kibana/node_modules/@kbn/server-http-tools/src/get_listener.js:29:44)\n at getServerListener (/usr/share/kibana/node_modules/@kbn/server-http-tools/src/get_listener.js:22:63)\n at getServerOptions (/usr/share/kibana/node_modules/@kbn/server-http-tools/src/get_server_options.js:35:51)\n at HttpServer.setup (/usr/share/kibana/node_modules/@kbn/core-http-server-internal/src/http_server.js:142:65)\n at HttpService.preboot (/usr/share/kibana/node_modules/@kbn/core-http-server-internal/src/http_service.js:62:26)\n at Server.preboot (/usr/share/kibana/node_modules/@kbn/core-root-server-internal/src/server.js:194:27)\n at Root.preboot (/usr/share/kibana/node_modules/@kbn/core-root-server-internal/src/root/index.js:47:14)\n at bootstrap (/usr/share/kibana/node_modules/@kbn/core-root-server-internal/src/bootstrap.js:95:29)\n at Command. (/usr/share/kibana/src/cli/serve/serve.js:233:5)","log":{"level":"FATAL","logger":"root"},"process":{"pid":2360417,"uptime":5.786669326},"trace":{"id":"12ad339c5584eb6904d082725a51a745"},"transaction":{"id":"95b59fc2ad298d2c"}}
{"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.11.0"},"@timestamp":"2025-02-17T20:02:48.941+01:00","message":"Reason: error:1C800064:Provider routines::bad decrypt\nError: error:1C800064:Provider routines::bad decrypt\n at setKey (node:internal/tls/secure-context:93:11)\n at configSecureContext (node:internal/tls/secure-context:204:7)\n at Object.createSecureContext (node:_tls_common:116:3)\n at Server.setSecureContext (node:_tls_wrap:1486:27)\n at Server (node:_tls_wrap:1350:8)\n at new Server (node:https:75:3)\n at Object.createServer (node:https:133:10)\n at configureHttp1Listener (/usr/share/kibana/node_modules/@kbn/server-http-tools/src/get_listener.js:29:44)\n at getServerListener (/usr/share/kibana/node_modules/@kbn/server-http-tools/src/get_listener.js:22:63)\n at getServerOptions (/usr/share/kibana/node_modules/@kbn/server-http-tools/src/get_server_options.js:35:51)\n at HttpServer.setup (/usr/share/kibana/node_modules/@kbn/core-http-server-internal/src/http_server.js:142:65)\n at HttpService.preboot (/usr/share/kibana/node_modules/@kbn/core-http-server-internal/src/http_service.js:62:26)\n at Server.preboot (/usr/share/kibana/node_modules/@kbn/core-root-server-internal/src/server.js:194:27)\n at Root.preboot (/usr/share/kibana/node_modules/@kbn/core-root-server-internal/src/root/index.js:47:14)\n at bootstrap (/usr/share/kibana/node_modules/@kbn/core-root-server-internal/src/bootstrap.js:95:29)\n at Command. (/usr/share/kibana/src/cli/serve/serve.js:233:5)","log":{"level":"FATAL","logger":"root"},"process":{"pid":2360446,"uptime":5.790623256},"trace":{"id":"5b3c095f9face624907490180bdbcb29"},"transaction":{"id":"610ac96cc8507014"}}

arcsons · February 20, 2025, 8:08am

Now after I added this line
server.ssl.keyPassphrase: "password"
So can Kibana starts.

But when I surf to https://ip:5601 I can see the certificate but it still says the connection is not "Connection not secure".

Any idea what could be missing or how to troubleshoot further?

carly.richmond · February 20, 2025, 10:05am

Hi @arcsons,

Which version of Elasticsearch and Kibana are you using? For 8.x you should be able to follow the enrollment steps here without needing to generate the configuration yourself. Did you generate the certs yourself using elasticsearch-certutil?

Let us know!

arcsons · February 20, 2025, 10:37am

Hi Charly,
I just did tested with the FQDN and it worked. I got the certificates from the Windows team which handle the CA.
How but now I need to figure out how to protect the password in the kibana.yml. But can I do with the keystore thing I guess?

carly.richmond · February 20, 2025, 12:00pm

Yes using the keystore is the right way to go:

arcsons · February 21, 2025, 7:10am

Perfect, working. Case closed. Thanks

Topic		Replies	Views
Error configuration SSL/TLS on Kibana Kibana	5	1409	June 5, 2018
Kibana throws errors after SSl configuration in configmap kibana.yml Kibana	17	1342	May 8, 2020
Cannot setup Kibana with SSL Kibana elastic-stack-security	2	211	July 12, 2023
How to enable SSL (https) for Kibana? Kibana	8	27475	April 20, 2020
Getting error while enabling SSL in Kibana Kibana	4	3099	July 6, 2017

Issue with SSL

Related topics