Kibana 7.1.0 -- Secure Communication Between Kibana and Browser -- Bad Decrypt Error

Hello,

I am attempting to set up TLS on my cluster. So far, I have secure communication between Logstash / Elasticsearch, the Elasticsearch nodes, and Elasticsearch / Kibana working without errors.

The last step is to secure the communication between Kibana and the browser, which is where I am running into errors. Specifically, verbose logging shows:

{"type":"log","@timestamp":"2019-05-29T17:51:03Z","tags":["debug","config"],"pid":23636,"message":"Marking config path as handled: server"}
{"type":"log","@timestamp":"2019-05-29T17:51:03Z","tags":["debug","http"],"pid":23636,"message":"registering route handler for [/core]"}
{"type":"log","@timestamp":"2019-05-29T17:51:03Z","tags":["debug","root"],"pid":23636,"message":"starting root"}
{"type":"log","@timestamp":"2019-05-29T17:51:03Z","tags":["debug","config"],"pid":23636,"message":"Marking config path as handled: logging"}
{"type":"log","@timestamp":"2019-05-29T17:51:03Z","tags":["debug","server"],"pid":23636,"message":"starting server"}
{"type":"log","@timestamp":"2019-05-29T17:51:03Z","tags":["debug","http","server"],"pid":23636,"message":"starting http server"}
{"type":"log","@timestamp":"2019-05-29T17:51:03Z","tags":["debug","root"],"pid":23636,"message":"shutting root down"}
{"type":"log","@timestamp":"2019-05-29T17:51:03Z","tags":["fatal","root"],"pid":23636,"message":"{ Error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt\n    at Object.createSecureContext (_tls_common.js:134:17)\n    at Server (_tls_wrap.js:870:27)\n    at new Server (https.js:62:14)\n    at Object.createServer (https.js:85:10)\n    at module.exports.internals.Core._createListener (/usr/share/kibana/node_modules/hapi/lib/core.js:491:79)\n    at new module.exports.internals.Core (/usr/share/kibana/node_modules/hapi/lib/core.js:112:30)\n    at new module.exports (/usr/share/kibana/node_modules/hapi/lib/server.js:25:18)\n    at Object.createServer (/usr/share/kibana/src/core/server/http/http_tools.js:75:20)\n    at HttpServer.start (/usr/share/kibana/src/core/server/http/http_server.js:40:36)\n    at HttpService.start (/usr/share/kibana/src/core/server/http/http_service.js:46:38)\n  opensslErrorStack: [ 'error:0906A065:PEM routines:PEM_do_header:bad decrypt' ] }"}

To create the CA and certs, I ran the following:

#CA
/usr/share/elasticsearch/bin/elasticsearch-certutil ca --pass foo --pem --out /etc/elasticsearch/certs/ca.zip
#CRT + KEY
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert /etc/elasticsearch/certs/ca/ca.crt --ca-key /etc/elasticsearch/certs/ca/ca.key --name serverName --dns serverName,serverName.domain.com --ip serverIPAddress --pass foo --pem --out /etc/elasticsearch/certs/cert.zip

My kibana.yml looks like this:

server.port: 5601
server.host: serverName

#Secure communication between Kibana and Elasticsearch
elasticsearch.hosts: ["https://serverName:9200"]
elasticsearch.ssl.certificateAuthorities: /etc/kibana/certs/ca/ca.crt
elasticsearch.ssl.verificationMode: certificate

#Secure communication between Kibana and Browser
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/serverName/serverName.crt
server.ssl.key: /etc/kibana/certs/serverName/serverName.key

#Settings
elasticsearch.requestTimeout: 120000

#Test
#xpack.security.enabled: true
#xpack.security.audit.enabled: true
#xpack.security.sessionTimeout: 600000
#xpack.security.encryptionKey: "32_character_string"

logging.verbose: true

I have tried working through this and this while troubleshooting with no luck. I have a feeling it has to do with the certs, but I'm not sure.

Any ideas?

Thanks,
Joe

1 Like

Hey @ShaqFanClub, you'll need to set server.ssl.keyPassphrase: foo in your kibana.yml as you're specifying the --pass option when generating the certificate and key.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.