Kibana https digicert

Hi,

My company domain has a wildcard ssl certificate from digicert.
Is there a way to use it with kibana so that kibana will be accessed via https?
I have followed this: https://www.elastic.co/guide/en/kibana/6.6/configuring-tls.html
but failed

I am using version 6.6 without any proxy like nginx
Should I use nginx as https proxy for this kind of setup?
I dont find any tutorial specific with installing digicert for kibana

Thanks

Hi @amin.nugroho,

I haven't heard of any issues related to this yet. How does your kibana.yml look like? What exactly do you mean when you say that your attempt has failed? Do you see any errors anywhere?

Best,
Oleg

server.ssl.enabled: true
server.ssl.certificate: /root/star.pem
server.ssl.key: /root/star.key
server.ssl.certificateAuthorities: /root/DigiCertCA.pem

when this is enabled, kibana cant be accessed either from https/http, with error: the site cant be reached, refused to connect

I am still using the default 5601 port as in kibana.mydomain:5601

Would you mind enabling verbose logging (logging.verbose: true) and tell what you see in the logs? When you start Kibana and also when you try to access it via the browser.

Jun 14 16:42:15 kibana.bps.go.id kibana[23498]: {"type":"log","@timestamp":"2019-06-14T09:42:15Z","tags":["debug","config"],"pid":23498,"message":"Marking config path as handled: server"}
Jun 14 16:42:15 kibana.bps.go.id kibana[23498]: {"type":"log","@timestamp":"2019-06-14T09:42:15Z","tags":["debug","http"],"pid":23498,"message":"registering route handler for [/core]"}
Jun 14 16:42:15 kibana.bps.go.id kibana[23498]: {"type":"log","@timestamp":"2019-06-14T09:42:15Z","tags":["debug","root"],"pid":23498,"message":"starting root"}
Jun 14 16:42:15 kibana.bps.go.id kibana[23498]: {"type":"log","@timestamp":"2019-06-14T09:42:15Z","tags":["debug","config"],"pid":23498,"message":"Marking config path as handled: logging"}
Jun 14 16:42:16 kibana.bps.go.id kibana[23498]: {"type":"log","@timestamp":"2019-06-14T09:42:16Z","tags":["debug","server"],"pid":23498,"message":"starting server"}
Jun 14 16:42:16 kibana.bps.go.id kibana[23498]: {"type":"log","@timestamp":"2019-06-14T09:42:16Z","tags":["debug","http","server"],"pid":23498,"message":"starting http server"}
Jun 14 16:42:16 kibana.bps.go.id kibana[23498]: {"type":"log","@timestamp":"2019-06-14T09:42:16Z","tags":["debug","root"],"pid":23498,"message":"shutting root down"}
Jun 14 16:42:16 kibana.bps.go.id kibana[23498]: {"type":"log","@timestamp":"2019-06-14T09:42:16Z","tags":["fatal","root"],"pid":23498,"message":"{ Error: EACCES: permission denied, open '/root/DigiCertCA.pem'\n at Object.openSync (fs.js:439:3)\n at Object.readFileSync (fs.js:344:35)\n at tlsOptions.ca.config.ssl.certificateAuthorities.config.ssl.certificateAuthorities.map.caFilePath (/usr/share/kibana/src/core/server/http/http_tools.js:60:74)\n at Array.map ()\n at Object.getServerOptions (/usr/share/kibana/src/core/server/http/http_tools.js:60:51)\n at HttpServer.start (/usr/share/kibana/src/core/server/http/http_server.js:39:44)\n at HttpService.start (/usr/share/kibana/src/core/server/http/http_service.js:46:38)\n at process._tickCallback (internal/process/next_tick.js:68:7)\n at Function.Module.runMain (internal/modules/cjs/loader.js:745:11)\n at startup (internal/bootstrap/node.js:283:19)\n errno: -13,\n syscall: 'open',\n code: 'EACCES',\n path: '/root/DigiCertCA.pem' }"}
Jun 14 16:42:16 kibana.bps.go.id kibana[23498]: {"type":"log","@timestamp":"2019-06-14T09:42:16Z","tags":["debug","server"],"pid":23498,"message":"stopping server"}
Jun 14 16:42:16 kibana.bps.go.id kibana[23498]: {"type":"log","@timestamp":"2019-06-14T09:42:16Z","tags":["debug","legacy-service"],"pid":23498,"message":"stopping legacy service"}
Jun 14 16:42:16 kibana.bps.go.id kibana[23498]: {"type":"log","@timestamp":"2019-06-14T09:42:16Z","tags":["debug","plugins-service"],"pid":23498,"message":"Stopping plugins service"}
Jun 14 16:42:16 kibana.bps.go.id kibana[23498]: FATAL Error: EACCES: permission denied, open '/root/DigiCertCA.pem'
Jun 14 16:42:16 kibana.bps.go.id systemd[1]: kibana.service: main process exited, code=exited, status=1/FAILURE
Jun 14 16:42:16 kibana.bps.go.id systemd[1]: Unit kibana.service entered failed state.
Jun 14 16:42:16 kibana.bps.go.id systemd[1]: kibana.service failed.
Jun 14 16:42:16 kibana.bps.go.id systemd[1]: kibana.service holdoff time over, scheduling restart.
Jun 14 16:42:16 kibana.bps.go.id systemd[1]: Stopped Kibana.
Jun 14 16:42:16 kibana.bps.go.id systemd[1]: Started Kibana.

the certificate originally in crt, I converted it to pem follwong this: https://stackoverflow.com/questions/4691699/how-to-convert-crt-to-pem

Hmm, that looks like the reason, Kibana can't access the /root/DigiCertCA.pem and hence fails to start. Can you make sure the paths and permissions are correct?

what should be the correct permission?

Kibana process should be able to read from this location, that's it. You can probably just move these files to Kibana config directory and see if it works or not.