Kibana and ssl

Stefano_Bossi · June 2, 2022, 6:33am

Dear forum members,
I am trying to configure SSL to access ES.
I have this conf in ES:

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  client_authentication: required
  enabled: true
  keystore.path: certs/{{ansible_hostname}}.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  client_authentication: required
  keystore.path: certs/{{ansible_hostname}}.p12
  truststore.path: certs/{{ansible_hostname}}.p12

The cluster is Ansible deployed so you see the Ansible variables here.
The cluster goes up and is fine.
Then I tried to configure Kibana to access in https the cluster with this conf:

elasticsearch.ssl.keystore.path: /etc/kibana/kibana.p12
elasticsearch.ssl.truststore.path: /etc/kibana/kibana.p12

# Enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
elasticsearch.ssl.certificateAuthorities: [ "config/elasticsearch-ca.pem" ]

But Kibana doesn't join the cluster with this error:

{
    "ecs": {
        "version": "8.0.0"
    },
    "@timestamp": "2022-06-02T08:30:50.482+02:00",
    "message": "Plugin \"cloudSecurityPosture\" is disabled.",
    "log": {
        "level": "INFO",
        "logger": "plugins-service"
    },
    "process": {
        "pid": 147279
    },
    "trace": {
        "id": "1e05b847069cd2dfdf00265d5d411a24"
    },
    "transaction": {
        "id": "efd162abce2cbe57"
    }
}
{
    "ecs": {
        "version": "8.0.0"
    },
    "@timestamp": "2022-06-02T08:30:50.522+02:00",
    "message": "Plugin \"metricsEntities\" is disabled.",
    "log": {
        "level": "INFO",
        "logger": "plugins-service"
    },
    "process": {
        "pid": 147279
    },
    "trace": {
        "id": "1e05b847069cd2dfdf00265d5d411a24"
    },
    "transaction": {
        "id": "efd162abce2cbe57"
    }
}
{
    "ecs": {
        "version": "8.0.0"
    },
    "@timestamp": "2022-06-02T08:30:50.574+02:00",
    "message": "[config validation of [elasticsearch].ssl.keystore.secure_password]: definition for this key is missing",
    "error": {
        "message": "[config validation of [elasticsearch].ssl.keystore.secure_password]: definition for this key is missing",
        "type": "Error",
        "stack_trace": "Error: [config validation of [elasticsearch].ssl.keystore.secure_password]: definition for this key is missing\n    at ensureValidConfiguration (/usr/share/kibana/src/core/server/config/ensure_valid_configuration.js:25:11)\n    at Server.preboot (/usr/share/kibana/src/core/server/server.js:164:5)\n    at Root.preboot (/usr/share/kibana/src/core/server/root/index.js:48:14)\n    at bootstrap (/usr/share/kibana/src/core/server/bootstrap.js:99:9)\n    at Command.<anonymous> (/usr/share/kibana/src/cli/serve/serve.js:216:5)"
    },
    "log": {
        "level": "FATAL",
        "logger": "root"
    },
    "process": {
        "pid": 147279
    },
    "trace": {
        "id": "1e05b847069cd2dfdf00265d5d411a24"
    },
    "transaction": {
        "id": "efd162abce2cbe57"
    }
}

Where to put the ssl.keystore.secure_password ?

Thanks,
S.

TimV · June 2, 2022, 6:53am

This configuration is going to cause you problems.

You're enforcing client certificates (client_authentication: required) but don't have any trust anchors (neither truststore.path nor certificate_authorities are configured). That means you will trust all the JDKs builtin cacerts.

Stefano_Bossi · June 2, 2022, 6:56am

mmmm, so you mean that the error is in Elasticsearch conf and not in the Kibana conf... I have missed the trustore...
I will try to add it.
Thanks,
S.

Stefano_Bossi · June 2, 2022, 12:16pm

I have added the suggested line to Elasticsearch.yml:

xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  client_authentication: required
  keystore.path: certs/{{ansible_hostname}}.p12
  truststore.path: certs/{{ansible_hostname}}.p12

but nothing has changed:

Jun  2 14:14:45 kibana kibana[178478]: FATAL  Error: [config validation of [elasticsearch].ssl.keystore.secure_password]: definition for this key is missing

I still don't understand how to let Kibana to see the key it says is missing!

Stefano_Bossi · June 3, 2022, 6:58am

Ok, I found the problem, it was my fault. On the same machine was installed Elasticserach and Kibana and, removed Elasticsearch now Kibana works.

Thanks for the help.
S.

Topic		Replies	Views
Cannot setup Kibana with SSL Kibana elastic-stack-security	2	244	July 12, 2023
Kibana <---> Elasticsearch integration with SSL enable Kibana elastic-stack-security , docker	6	803	September 16, 2022
Problem with Kibana & Elasticsearch communication (TLS/SSL) Kibana elastic-stack-security	1	1069	March 29, 2022
Error configuration SSL/TLS on Kibana Kibana	5	1499	June 5, 2018
Unable to connect to kibana with a secure cluster Kibana elastic-stack-security	22	2406	January 18, 2023

Kibana and ssl

Related topics