The Curl command shows a 401 error. The rotating was caused by by a stylesheet error, so it looks that Kibana and/or Elastic hasn't authorised the user of token somehow? So the real question is probably what did I configure wrong after figuring out how to deal with a JWT token.
No error messages in /var/log/elastcsearch-cluster.log
Simular (later) message in kibana.log
{"client":{"ip":"10.136.119.5"},"http":{"request":{"method":"GET","mime_type":null,"referrer":"","headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","accept-encoding":"gzip, deflate, br","accept-language":"nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7","authorization":"[REDACTED]","cache-control":"max-age=0","sec-ch-ua":"\"Google Chrome\";v=\"107\", \"Chromium\";v=\"107\", \"Not=A?Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"same-origin","sec-fetch-user":"?1","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","x-correlationid":"052d0d72-4b83-465a-81e3-76fc3d876bab","x-forwarded-for":"10.136.108.37,beheer-fix.logging.mso.mhsrijk.nl:8011, vws-dca-wsgo-02.mso.mhsrijk.nl:8080","cookie":"[REDACTED]","host":"log-web-kibana-fix.mso.mhsrijk.nl:443","connection":"Keep-Alive"}},"response":{"body":{"bytes":166278},"status_code":200,"headers":{"x-content-type-options":"nosniff","referrer-policy":"no-referrer-when-downgrade","content-security-policy":"script-src 'self' 'unsafe-eval'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'","kbn-name":"VGA-cluster","kbn-license-sig":"cc7f6f33d5509b9f3224eecf78dad0e805474cc3a0b847cdc9af5486a3c9d3c2","content-type":"text/html; charset=utf-8","cache-control":"private, no-cache, no-store, must-revalidate","vary":"accept-encoding","content-encoding":"gzip"},"responseTime":44}},"url":{"path":"/app/home","query":""},"user_agent":{"original":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"},"trace":{"id":"984876f2c2c9f7d70d855f51ae8727c9"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.4.0"},"@timestamp":"2023-02-14T12:27:41.115+01:00","message":"GET /app/home 200 44ms - 162.4KB","log":{"level":"DEBUG","logger":"http.server.response"},"process":{"pid":822808},"transaction":{"id":"454534800ff67868"}}
curl -I -k https://10.136.120.227:5601 -H "Authorization:Bearer REDACTED"
HTTP/1.1 401 Unauthorized
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade
content-security-policy: script-src 'self' 'unsafe-eval'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'
kbn-name: VGA-cluster
kbn-license-sig: REDACTED
refresh: 0;url=/login?msg=UNAUTHENTICATED&next=%2F
content-type: text/html; charset=utf-8
cache-control: private, no-cache, no-store, must-revalidate
content-length: 6
Date: Tue, 14 Feb 2023 10:31:59 GMT
Connection: keep-alive
Keep-Alive: timeout=120
type or paste code here
Result in the browser
line 286 in kui_light.min.css
// Since this is an unsafe inline script, this code will not run
// in browsers that support content security policy(CSP). This is
// intentional as we check for the existence of __kbnCspNotEnforced__ in
// bootstrap.
Decoded Token payload
{
"identity": "vriese@mso.mhsrijk.nl",
"idp": "Windows",
"role": [
"Beheerder_KPV",
"Beheerder_INFRA"
],
"iat": 1676369766,
"llt": 1676369766,
"iss": "cibg",
"aud": "lggng",
"exp": 1676371237,
"nbf": 1676369707,
"cat": 1676370007,
"tokenid": "817e5e03-c773-4cb4-be6d-5cac06123af1"
}````