Kibana HTTPS - Impossible to use verification mode "full" for docker services?

J7mbo · March 24, 2020, 9:14pm

Docker services use their internal DNS to resolve "elasticsearch", so I can point kibana at "https://elasticsearch:9200".

The problem is, I have to set verification mode to "certificate" because the https certificate is for my domain, not for "elasticsearch".

I googled "subject alternative names" and it doesn't look like I can generate a certificate (I'm using letsencrypt) for "elasticsearch" - because anyone could do that!

So, if I'm using docker, and dns resolution is via docker, must we always use certificate instead of full? Or is there something else I'm missing?

Mikhail_Shustov · March 25, 2020, 7:38am

It seems so. As I can see, it's the recommended way to use self-signed certificates
https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-tls-docker.html

J7mbo · March 25, 2020, 8:13am

Is it possible to use both a real certificate + key so it resolves to a public domain name, and a self-signed certificate + key with CA that signed it (as the docs show), so that I can have the best of both worlds?

Publicly I would be able to visit this on https by it's domain name, and then Kibana could use full verification mode when talking to Elasticsearch internally within docker.

Mikhail_Shustov · March 25, 2020, 9:37am

Yes, you can configure server.ssl with your real cert and use a self-signed cert for elasticsearch.ssl. Would it work for you?

J7mbo · March 25, 2020, 9:45am

I'm not sure. If I add: verificationmode and authorities, wouldn't these options be for everything?

What would the config look like having both:

verification mode "full" with no authorities (for the real cert)
verification mode "certificate" with the self-signing authority (for the self-signed cert)
specifying separate key + cert pem paths for both

I'm not sure how I can do that with the config.

Mikhail_Shustov · March 25, 2020, 12:32pm

If I add: verificationmode and authorities , wouldn't these options be for everything?

no, server.ssl and elasticsearch.ssl are different config options. You cannot set verificationmode for server.ssl and have to use "real" certificate:

server.ssl.enabled: true
server.ssl.key: ...
server.ssl.certificate: ...
server.ssl. certificateAuthorities: ...

you can use self-signed certificate for elasticsearch.ssl tho:

elasticsearch.ssl.certificateAuthorities: ...
elasticsearch.ssl.verificationMode: "certificate"

system · April 22, 2020, 12:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[ConnectionError]: unable to verify the first certificate Kibana elastic-stack-security , docker	2	3439	July 15, 2022
Full verification mode possible with self generated CA? Kibana elastic-stack-security	11	982	August 27, 2019
Using own SSL certificate doesn't work on stack Elasticsearch + Kibana Elasticsearch docker	1	226	August 3, 2023
SSL Cert with own CA for Https-Use Kibana elastic-stack-security	4	3980	November 28, 2018
My Kibana is not being able to connect with my Elasticsearch because of Self-Signed Certificate Kibana docker	3	858	January 19, 2022

Kibana HTTPS - Impossible to use verification mode "full" for docker services?

Related topics