Kibana 7.9 Decrypt .key problem

I have configured Kibana to use HTTPS and TLS.
TLS key is somehow not encrypted (can read it in a cleartext, just encoded), despite I used --password option.
But HTTPS key is encrypted, and it seems like Kibana at the startup can't decrypt it. It's strange, cause I can decrypt it manually via openssl:
sudo openssl rsa -in /etc/kibana/http-mrsd-kibana.mrsd.test.key -out test
Enter pass phrase for /etc/kibana/http-mrsd-kibana.mrsd.test.key:
writing RSA key

Keystore contains same passphrase:
sudo /usr/share/kibana/bin/kibana-keystore list --allow-root
elasticsearch.ssl.keyPassphrase

Kibana config:

# Kibana is served by a back end server. This setting specifies the port to use.
#server.port: 5601

# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: 10.0.1.21

# Enables you to specify a path to mount Kibana at if you are running behind a proxy.
# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
#server.basePath: ""

# Specifies whether Kibana should rewrite requests that are prefixed with
# `server.basePath` or require that they are rewritten by your reverse proxy.
# This setting was effectively always `false` before Kibana 6.3 and will
# default to `true` starting in Kibana 7.0.
#server.rewriteBasePath: false

# The maximum payload size in bytes for incoming server requests.
#server.maxPayloadBytes: 1048576

# The Kibana server's name.  This is used for display purposes.
#server.name: "your-hostname"

# The URLs of the Elasticsearch instances to use for all your queries.
elasticsearch.hosts: ["https://mrsd-enode1.mrsd.test:9200", "https://mrsd-enode2.mrsd.test:9200", "https://mrsd-enode3.mrsd.test:9200"]

# When this setting's value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host
# that connects to this Kibana instance.
#elasticsearch.preserveHost: true

# Kibana uses an index in Elasticsearch to store saved searches, visualizations and
# dashboards. Kibana creates a new index if the index doesn't already exist.
#kibana.index: ".kibana"

# The default application to load.
#kibana.defaultAppId: "home"

# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
elasticsearch.username: "kibana_system"
elasticsearch.password: "xxx"

# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/http-mrsd-kibana.mrsd.test.crt
server.ssl.key: /etc/kibana/http-mrsd-kibana.mrsd.test.key

# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files are used to verify the identity of Kibana to Elasticsearch and are required when
# xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.
elasticsearch.ssl.certificate: /etc/kibana/mrsd-kibana.cer
elasticsearch.ssl.key: /etc/kibana/mrsd-kibana.key

# Optional setting that enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/ca_dc.cer" ]

# To disregard the validity of SSL certificates, change this setting's value to 'none'.
elasticsearch.ssl.verificationMode: full

# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500

# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
# must be a positive integer.
#elasticsearch.requestTimeout: 30000

# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
# headers, set this value to [] (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]

# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
#elasticsearch.customHeaders: {}

# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
#elasticsearch.shardTimeout: 30000

# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.
#elasticsearch.startupTimeout: 5000

# Logs queries sent to Elasticsearch. Requires logging.verbose set to true.
#elasticsearch.logQueries: false

# Specifies the path where Kibana creates the process ID file.
#pid.file: /var/run/kibana.pid

# Enables you to specify a file where Kibana stores log output.
logging.dest: /var/log/kibana/kibana.log

# Set the value of this setting to true to suppress all logging output.
#logging.silent: false

# Set the value of this setting to true to suppress all logging output other than error messages.
#logging.quiet: false

# Set the value of this setting to true to log all events, including system usage information
# and all requests.
#logging.verbose: false

# Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 5000.
#ops.interval: 5000

# Specifies locale to be used for all localizable strings, dates and number formats.
# Supported languages are the following: English - en , by default , Chinese - zh-CN .
#i18n.locale: "en"

#Additional security settings
xpack.security.encryptionKey: "xxx"

And the error is:
{"type":"log","@timestamp":"2020-09-08T11:16:10Z","tags":["fatal","root"],"pid":8675,"message":"{ Error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt\n at Object.createSecureContext (_tls_common.js:156:17)\n at Server (_tls_wrap.js:903:27)\n at new Server (https.js:62:14)\n at Object.createServer (https.js:85:10)\n at module.exports.internals.Core._createListener (/usr/share/kibana/node_modules/hapi/lib/core.js:491:79)\n at new module.exports.internals.Core (/usr/share/kibana/node_modules/hapi/lib/core.js:112:30)\n at new module.exports (/usr/share/kibana/node_modules/hapi/lib/server.js:25:18)\n at createServer (/usr/share/kibana/src/core/server/http/http_tools.js:110:18)\n at HttpServer.setup (/usr/share/kibana/src/core/server/http/http_server.js:84:48)\n at HttpService.runNotReadyServer (/usr/share/kibana/src/core/server/http/http_service.js:162:26)\n at HttpService.setup (/usr/share/kibana/src/core/server/http/http_service.js:78:18)\n opensslErrorStack: [ 'error:0906A065:PEM routines:PEM_do_header:bad decrypt' ] }"}

Any advise how to fix it?

UPDATE1: Of cause I nedeed PassPhrase for server.ssl, not elasticsearch.ssl. So I changed It. But same problem persists.

Reinstalling with manual deletion of /usr/share/kibana solved my issue.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.