Hello,
I am attempting to set up TLS on my cluster. So far, I have secure communication between Logstash / Elasticsearch, the Elasticsearch nodes, and Elasticsearch / Kibana working without errors.
The last step is to secure the communication between Kibana and the browser, which is where I am running into errors. Specifically, verbose logging shows:
{"type":"log","@timestamp":"2019-05-29T17:51:03Z","tags":["debug","config"],"pid":23636,"message":"Marking config path as handled: server"}
{"type":"log","@timestamp":"2019-05-29T17:51:03Z","tags":["debug","http"],"pid":23636,"message":"registering route handler for [/core]"}
{"type":"log","@timestamp":"2019-05-29T17:51:03Z","tags":["debug","root"],"pid":23636,"message":"starting root"}
{"type":"log","@timestamp":"2019-05-29T17:51:03Z","tags":["debug","config"],"pid":23636,"message":"Marking config path as handled: logging"}
{"type":"log","@timestamp":"2019-05-29T17:51:03Z","tags":["debug","server"],"pid":23636,"message":"starting server"}
{"type":"log","@timestamp":"2019-05-29T17:51:03Z","tags":["debug","http","server"],"pid":23636,"message":"starting http server"}
{"type":"log","@timestamp":"2019-05-29T17:51:03Z","tags":["debug","root"],"pid":23636,"message":"shutting root down"}
{"type":"log","@timestamp":"2019-05-29T17:51:03Z","tags":["fatal","root"],"pid":23636,"message":"{ Error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt\n at Object.createSecureContext (_tls_common.js:134:17)\n at Server (_tls_wrap.js:870:27)\n at new Server (https.js:62:14)\n at Object.createServer (https.js:85:10)\n at module.exports.internals.Core._createListener (/usr/share/kibana/node_modules/hapi/lib/core.js:491:79)\n at new module.exports.internals.Core (/usr/share/kibana/node_modules/hapi/lib/core.js:112:30)\n at new module.exports (/usr/share/kibana/node_modules/hapi/lib/server.js:25:18)\n at Object.createServer (/usr/share/kibana/src/core/server/http/http_tools.js:75:20)\n at HttpServer.start (/usr/share/kibana/src/core/server/http/http_server.js:40:36)\n at HttpService.start (/usr/share/kibana/src/core/server/http/http_service.js:46:38)\n opensslErrorStack: [ 'error:0906A065:PEM routines:PEM_do_header:bad decrypt' ] }"}
To create the CA and certs, I ran the following:
#CA
/usr/share/elasticsearch/bin/elasticsearch-certutil ca --pass foo --pem --out /etc/elasticsearch/certs/ca.zip
#CRT + KEY
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert /etc/elasticsearch/certs/ca/ca.crt --ca-key /etc/elasticsearch/certs/ca/ca.key --name serverName --dns serverName,serverName.domain.com --ip serverIPAddress --pass foo --pem --out /etc/elasticsearch/certs/cert.zip
My kibana.yml looks like this:
server.port: 5601
server.host: serverName
#Secure communication between Kibana and Elasticsearch
elasticsearch.hosts: ["https://serverName:9200"]
elasticsearch.ssl.certificateAuthorities: /etc/kibana/certs/ca/ca.crt
elasticsearch.ssl.verificationMode: certificate
#Secure communication between Kibana and Browser
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/serverName/serverName.crt
server.ssl.key: /etc/kibana/certs/serverName/serverName.key
#Settings
elasticsearch.requestTimeout: 120000
#Test
#xpack.security.enabled: true
#xpack.security.audit.enabled: true
#xpack.security.sessionTimeout: 600000
#xpack.security.encryptionKey: "32_character_string"
logging.verbose: true
I have tried working through this and this while troubleshooting with no luck. I have a feeling it has to do with the certs, but I'm not sure.
Any ideas?
Thanks,
Joe