Elasticsearch SSL is working. Moving onto Kibana SSL.
I've followed the documents to generate new csr requests for Kibana-server.cer and kibana-server.key files. I've placed them in the kibana config directory. I've updated the kibana.yml file to include these paths on Windows Server 2019. I am using a Windows Certificate Authority for signing certificate requests. I've download the CA Root certificate as a .cer file for Elasticsearch.ssl.certificateAuthorities. This is the same CA certificate used for Elasticsearch. I continue to receive the following error:

PS C:\Program Files\Elastic\Kibana\bin> .\kibana.bat
  log   [00:24:06.427] [info][plugins-service] Plugin "metricsEntities" is disabled.
  log   [00:24:06.506] [fatal][root] Error: error:0909006C:PEM routines:get_name:no start line
    at Object.createSecureContext (_tls_common.js:129:17)
    at Server.setSecureContext (_tls_wrap.js:1330:27)
    at Server (_tls_wrap.js:1185:8)
    at new Server (https.js:74:3)
    at Object.createServer (https.js:110:10)
    at module.exports.internals.Core._createListener (C:\Program Files\Elastic\Kibana\node_modules\@hapi\hapi\lib\core.js:539:79)
    at new module.exports.internals.Core (C:\Program Files\Elastic\Kibana\node_modules\@hapi\hapi\lib\core.js:133:30)
    at new module.exports (C:\Program Files\Elastic\Kibana\node_modules\@hapi\hapi\lib\server.js:23:18)
    at createServer (C:\Program Files\Elastic\Kibana\node_modules\@kbn\server-http-tools\target_node\create_server.js:18:18)
    at HttpServer.setup (C:\Program Files\Elastic\Kibana\src\core\server\http\http_server.js:106:53)
    at HttpService.preboot (C:\Program Files\Elastic\Kibana\src\core\server\http\http_service.js:76:51)
    at Server.preboot (C:\Program Files\Elastic\Kibana\src\core\server\server.js:200:25)
    at Root.preboot (C:\Program Files\Elastic\Kibana\src\core\server\root\index.js:44:14)
    at bootstrap (C:\Program Files\Elastic\Kibana\src\core\server\bootstrap.js:99:9)
    at Command.<anonymous> (C:\Program Files\Elastic\Kibana\src\cli\serve\serve.js:226:5) {
  library: 'PEM routines',
  function: 'get_name',
  reason: 'no start line',

 FATAL  Error: error:0909006C:PEM routines:get_name:no start line

What am I missing?

I was able to get past this error by exporting my certificates from the Windows CA in Base64 format not DER . I then encountered a secondary error regarding bad_decrypt. What was not written in any documentation is there is a configuration setting that needs to be entered when you set a passphrase on a certificate when the key is generated. Seems pretty important detail to miss in ALL of the documentation.

1 - Export Windows Certificates in Base64 format
2 - server.ssl.keyPassphrase: or Elasticsearch.ssl.keyPassphrase: in the kibana.yml

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.