Kibana can't connect to elasticsearch using self signed certificates

Elastic Stack Kibana
1

Hi, I have enabled TLS certificates for connection between Kibana and Elasticsearch as described here: Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [7.16] | Elastic

I use rsyslog to send data straight to Elasticsearch and that works fine, I can also use curl to talk to Elasticsearch so certificates are working fine for the https://localhost:9200 URL.

But when I try to do the same with Kibana then all I get is the dreaded "Unable to retrieve version information from Elasticsearch nodes. self signed certificate in certificate chain" log in /var/log/kibana/kibana.log

I used the Elasticsearch-certutil to create a CA, and a certificate/key pair for https using that CA, that also created a kibana directory in the zip file that included a .pem file that I use for telling kibana to trust the Elasticsearch certificate.

Here is the kibana.yml file:

server.publicBaseUrl: "my-dns-server-name"
elasticsearch.hosts: ["https://localhost:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.ssl.certificate: "/etc/kibana/elasticsearch-ssl/elasticsearch-ca.pem"
xpack.encryptedSavedObjects.encryptionKey: "xxxxxxx"
xpack.security.encryptionKey: "xxxxxxx"

And here is the Elasticsearch.yml file:

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: localhost
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.key: elasticsearch-ssl/elasticsearch.key.pem
xpack.security.transport.ssl.certificate: elasticsearch-ssl/elasticsearch.cert.pem
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elasticsearch-ssl/http.p12
discovery.type: single-node

All the referenced certificates are from the Elasticsearch-certutil program.

Anyone have ideas on why kibana does not trust the certificate?

2

Yeah looks like you are missing to specify the CA in the Kibana config and the key as well? see my kibana.yml:

server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/Elasticsearch-ca.pem
server.ssl.key: /etc/ssl/kibana/kibana-key.key
Elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/Elasticsearch-ca.pem" ]
Elasticsearch.ssl.verificationMode: none

Elasticsearch.yml:

cluster.initial_master_nodes: ["node-1"]
xpack.security.transport.ssl.enabled: true
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: none
xpack.security.http.ssl.keystore.path: http.p12
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

They do not have to have the same certs, I created a different cert for Kibana and a different one for Elasticsearch but used the same key and CA and used openssl i believe to generate the p12 format certs which include the ca into it, so i could actually technically be able to point kibana to those .p12 and it should work just fine as well.

To generate new cert w/openssl:

cd /etc/Elasticsearch/
openssl pkcs12 -in elastic-certificates.p12 -out newfile.crt.pem -clcerts -nokeys
openssl pkcs12 -in elastic-certificates.p12 -out newfile.key.pem -nocerts -nodes

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.