Kibana Kubernetes with HTTPS

Hi, everyone:

I would like to know how to configure HTTPS in Kibana on Kubernetes. I have created my own certificate with OpenSSL:

openssl req -x509 -newkey rsa:2048 -nodes -keyout /home/{{my_user}}/main-certs/main.key -out /home/{{my_user}}/main-certs/main.crt -days 365 -subj /C=ES/ST=Spain/L=Madrid/O=Entreprise/OU=IT/CN={{kubernetes-master}}

kibana.yml

server.ssl.enabled: true
server.ssl.key: /usr/share/kibana/https/main.key
server.ssl.certificate: /usr/share/kibana/https/main.crt

I have a issue related to this when I deploy Kibana:

{"type":"error","@timestamp":"2019-04-02T09:32:44Z","tags":["connection","client","error"],"pid":1,"level":"error","error":{"message":"139651378964352:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/s3_pkt.c:1498:SSL alert number 42\n","name":"Error","stack":"Error: 139651378964352:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/s3_pkt.c:1498:SSL alert number 42\n"},"message":"139651378964352:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/s3_pkt.c:1498:SSL alert number 42\n"}

StatefulSet

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: kibana
  labels:
    k8s-app: kibana
spec:
  serviceName: kibana
  replicas: 1
  selector:
    matchLabels:
      k8s-app: kibana
  template:
    metadata:
      labels:
        k8s-app: kibana
    spec:
      containers:
      - name: kibana
        image: docker.elastic.co/kibana/kibana:6.5.4
        ports:
        - name: http
          containerPort: 5601
        volumeMounts:
        - name: https
          mountPath: /usr/share/kibana/https
        - name: config
          mountPath: /usr/share/kibana/config/kibana.yml
          subPath: kibana.yml
      volumes:
      - name: https
        secret:
         secretName: main-tls-secret
      - name: config
        configMap:
         name: kibana-config

Service

apiVersion: v1
kind: Service
metadata:
  name: kibana
  labels:
    k8s-app: kibana
spec:
  type: NodePort
  ports:
  - name: http
    port: 5601
    nodePort: 30100
  selector:
    k8s-app: kibana

Thanks in advance,

Regards

I believe this error is from connecting to ES, not from the Kibana server itself. Are you by chance using SSL keys for the Elasticsearch connection as well?

Can you provide your entire Kibana configuration?

To get around this now, you should be able to set elasticsearch.ssl.verify: false

Hi, @tylersmalley

I use elasticsearch.ssl.verificationMode parameter, because elasticsearch.ssl.verify is deprecated ( Since 5.3.0 )

This is my Kibana config:

server.port: 5601

server.host: 0.0.0.0

server.name: kibana-0

elasticsearch.url: https://elasticsearch:9200

kibana.defaultAppId: "dashboard/Main-dashboard"

elasticsearch.username: elastic_user

elasticsearch.password: topsecret

searchguard.readonly_mode.roles: ["sg_kibana_user"]

server.ssl.enabled: true

server.ssl.key: /usr/share/kibana/https/main.key

server.ssl.certificate: /usr/share/kibana/https/main.crt

elasticsearch.ssl.verificationMode: none

elasticsearch.ssl.certificateAuthorities: [ "/usr/share/kibana/searchguard/ssl/root-ca.pem" ]

searchguard.basicauth.login.title: "Welcome"
searchguard.basicauth.login.subtitle: "If you have forgotten your username or password, please contact your system administrator"

# Monitoring
xpack.monitoring.enabled: true

# Apps
xpack.grokdebugger.enabled: true
xpack.reporting.enabled: true
timelion.enabled: false
xpack.apm.ui.enabled: false
xpack.graph.enabled: false
xpack.ml.enabled: false
xpack.security.enabled: false

Thanks in advance,

Rodrigo

Hi, @tylersmalley

I have done some tests with Firefox & Google Chrome. With Firefox, there is not any problem, however with Google Chrome, Kibana shows handshake error.

From my point of view, If Kibana kept tls open sessions, this kind of issue would be mitigated.

Regards

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.