Kibana and ssl

Stefano_Bossi · June 2, 2022, 6:33am

Dear forum members,
I am trying to configure SSL to access ES.
I have this conf in ES:

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  client_authentication: required
  enabled: true
  keystore.path: certs/{{ansible_hostname}}.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  client_authentication: required
  keystore.path: certs/{{ansible_hostname}}.p12
  truststore.path: certs/{{ansible_hostname}}.p12

The cluster is Ansible deployed so you see the Ansible variables here.
The cluster goes up and is fine.
Then I tried to configure Kibana to access in https the cluster with this conf:

elasticsearch.ssl.keystore.path: /etc/kibana/kibana.p12
elasticsearch.ssl.truststore.path: /etc/kibana/kibana.p12

# Enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
elasticsearch.ssl.certificateAuthorities: [ "config/elasticsearch-ca.pem" ]

But Kibana doesn't join the cluster with this error:

{
    "ecs": {
        "version": "8.0.0"
    },
    "@timestamp": "2022-06-02T08:30:50.482+02:00",
    "message": "Plugin \"cloudSecurityPosture\" is disabled.",
    "log": {
        "level": "INFO",
        "logger": "plugins-service"
    },
    "process": {
        "pid": 147279
    },
    "trace": {
        "id": "1e05b847069cd2dfdf00265d5d411a24"
    },
    "transaction": {
        "id": "efd162abce2cbe57"
    }
}
{
    "ecs": {
        "version": "8.0.0"
    },
    "@timestamp": "2022-06-02T08:30:50.522+02:00",
    "message": "Plugin \"metricsEntities\" is disabled.",
    "log": {
        "level": "INFO",
        "logger": "plugins-service"
    },
    "process": {
        "pid": 147279
    },
    "trace": {
        "id": "1e05b847069cd2dfdf00265d5d411a24"
    },
    "transaction": {
        "id": "efd162abce2cbe57"
    }
}
{
    "ecs": {
        "version": "8.0.0"
    },
    "@timestamp": "2022-06-02T08:30:50.574+02:00",
    "message": "[config validation of [elasticsearch].ssl.keystore.secure_password]: definition for this key is missing",
    "error": {
        "message": "[config validation of [elasticsearch].ssl.keystore.secure_password]: definition for this key is missing",
        "type": "Error",
        "stack_trace": "Error: [config validation of [elasticsearch].ssl.keystore.secure_password]: definition for this key is missing\n    at ensureValidConfiguration (/usr/share/kibana/src/core/server/config/ensure_valid_configuration.js:25:11)\n    at Server.preboot (/usr/share/kibana/src/core/server/server.js:164:5)\n    at Root.preboot (/usr/share/kibana/src/core/server/root/index.js:48:14)\n    at bootstrap (/usr/share/kibana/src/core/server/bootstrap.js:99:9)\n    at Command.<anonymous> (/usr/share/kibana/src/cli/serve/serve.js:216:5)"
    },
    "log": {
        "level": "FATAL",
        "logger": "root"
    },
    "process": {
        "pid": 147279
    },
    "trace": {
        "id": "1e05b847069cd2dfdf00265d5d411a24"
    },
    "transaction": {
        "id": "efd162abce2cbe57"
    }
}

Where to put the ssl.keystore.secure_password ?

Thanks,
S.

TimV · June 2, 2022, 6:53am

This configuration is going to cause you problems.

You're enforcing client certificates (client_authentication: required) but don't have any trust anchors (neither truststore.path nor certificate_authorities are configured). That means you will trust all the JDKs builtin cacerts.

Stefano_Bossi · June 2, 2022, 6:56am

mmmm, so you mean that the error is in Elasticsearch conf and not in the Kibana conf... I have missed the trustore...
I will try to add it.
Thanks,
S.

Stefano_Bossi · June 2, 2022, 12:16pm

I have added the suggested line to Elasticsearch.yml:

xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  client_authentication: required
  keystore.path: certs/{{ansible_hostname}}.p12
  truststore.path: certs/{{ansible_hostname}}.p12

but nothing has changed:

Jun  2 14:14:45 kibana kibana[178478]: FATAL  Error: [config validation of [elasticsearch].ssl.keystore.secure_password]: definition for this key is missing

I still don't understand how to let Kibana to see the key it says is missing!

Stefano_Bossi · June 3, 2022, 6:58am

Ok, I found the problem, it was my fault. On the same machine was installed Elasticserach and Kibana and, removed Elasticsearch now Kibana works.

Thanks for the help.
S.

system · July 1, 2022, 6:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.