Kibana tls certificate

O.Shulha · September 6, 2019, 12:17pm

I`m trying to enable tls certification with x-pack.

docker-compose.yml

version: '2.2'

services:
  es01:
    container_name: es01
    image: docker.elastic.co/elasticsearch/elasticsearch:7.2.0
    environment:
      - node.name=es01
      - discovery.type=single-node
      - bootstrap.memory_lock=true
      - xpack.security.enabled=true
      - ELASTIC_PASSWORD=$ELASTIC_PASSWORD 
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - xpack.license.self_generated.type=basic
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.key=$CERTS_DIR/es01/es01.key
      - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.security.http.ssl.certificate=$CERTS_DIR/es01/es01.crt
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.verification_mode=certificate 
      - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.security.transport.ssl.certificate=$CERTS_DIR/es01/es01.crt
      - xpack.security.transport.ssl.key=$CERTS_DIR/es01/es01.key
    volumes: ['data01:/usr/share/elasticsearch/data', 'certs:$CERTS_DIR']
    ports:
      - 9200:9200

  kibana:
    depends_on:
      - es01
    image: docker.elastic.co/kibana/kibana:7.2.0
    environment: 
      - xpack.security.enabled=true
    ports: 
      - 5601:5601
    volumes:
      - /home/alex/Desktop/tls/kibana.yml:/usr/share/kibana/config/kibana.yml
    extra_hosts: 
      - "es01:127.0.0.1"


volumes: {"data01", "certs"}

kibana.yml

server.name: kibana
server.host: "0"
elasticsearch.hosts: [ "https://es01:9200" ]
elasticsearch.username: "elastic"
elasticsearch.password: "pa55word"

create-certs.yml

version: '2.2'

services:
  create_certs:
    container_name: create_certs
    image: docker.elastic.co/elasticsearch/elasticsearch:7.2.0
    command: >
      bash -c '
        yum install -y -q -e 0 unzip;
        if [[ ! -f /certs/bundle.zip ]]; then
          bin/elasticsearch-certutil cert --silent --pem --in config/certificates/instances.yml -out /certs/bundle.zip;
          unzip /certs/bundle.zip -d /certs; 
        fi;
        chown -R 1000:0 /certs 
      '
    user: "0"
    working_dir: /usr/share/elasticsearch
    volumes: ['certs:/certs', '.:/usr/share/elasticsearch/config/certificates']

volumes: {"certs"}

instances.yml

instances:
  - name: es01
    dns:
      - es01 
      - localhost
    ip:
      - 127.0.0.1

.env

COMPOSE_PROJECT_NAME=es
CERTS_DIR=/usr/share/elasticsearch/config/certificates
ELASTIC_PASSWORD=pa55word

i followed this tutorial :
https://www.elastic.co/guide/en/elasticsearch/reference/7.2/configuring-tls-docker.html

so. elasticsearch works fine. i can reach elasticsearch on the : https://localhost:9200
and can see certificate.

But kibana container fails and give out some errors:

kibana_1  | {"type":"log","@timestamp":"2019-09-06T12:11:26Z","tags":["warning","elasticsearch","data"],"pid":1,"message":"Unable to revive connection: https://es01:9200/"}
kibana_1  | {"type":"log","@timestamp":"2019-09-06T12:11:26Z","tags":["warning","elasticsearch","data"],"pid":1,"message":"No living connections"}
kibana_1  | {"type":"log","@timestamp":"2019-09-06T12:11:26Z","tags":["license","warning","xpack"],"pid":1,"message":"License information from the X-Pack plugin could not be obtained from Elasticsearch for the [data] cluster. Error: No Living connections"}
kibana_1  | {"type":"log","@timestamp":"2019-09-06T12:11:29Z","tags":["warning","elasticsearch","admin"],"pid":1,"message":"Unable to revive connection: https://es01:9200/"}
kibana_1  | {"type":"log","@timestamp":"2019-09-06T12:11:29Z","tags":["warning","elasticsearch","admin"],"pid":1,"message":"No living connections"}
kibana_1  | {"type":"log","@timestamp":"2019-09-06T12:11:30Z","tags":["reporting","browser-driver","warning"],"pid":1,"message":"Enabling the Chromium sandbox provides an additional layer of protection."}
kibana_1  | {"type":"log","@timestamp":"2019-09-06T12:11:30Z","tags":["reporting","warning"],"pid":1,"message":"Generating a random key for xpack.reporting.encryptionKey. To prevent pending reports from failing on restart, please set xpack.reporting.encryptionKey in kibana.yml"}
kibana_1  | {"type":"log","@timestamp":"2019-09-06T12:11:30Z","tags":["status","plugin:reporting@7.2.0","error"],"pid":1,"state":"red","message":"Status changed from uninitialized to red - No Living connections","prevState":"uninitialized","prevMsg":"uninitialized"}
kibana_1  | {"type":"log","@timestamp":"2019-09-06T12:11:30Z","tags":["status","plugin:security@7.2.0","error"],"pid":1,"state":"red","message":"Status changed from green to red - No Living connections","prevState":"green","prevMsg":"Ready"}
kibana_1  | {"type":"log","@timestamp":"2019-09-06T12:11:30Z","tags":["warning","elasticsearch","admin"],"pid":1,"message":"Unable to revive connection:

localhost:5601 works. I can get message "Kibana server is not ready yet"
https://localhost:5601 is not working.

inside kibana container i can`t

curl es01:9200

with error

connection refused

etc/hosts
has already all hosts.

Where is the error?
Thank you a lot.

azasypkin · September 11, 2019, 1:44pm

Hey @O.Shulha,

localhost:5601 works. I can get message "Kibana server is not ready yet"

I believe you should properly set elasticsearch.ssl.certificateAuthorities in kibana.yml as well (so that Kibana server can trust Elasticsearch self-signed certificate).

https://localhost:5601 is not working.

Well, you set up TLS for Elasticsearch, but not for Kibana, it's still served through plain HTTP. See Encrypting communications in Kibana if you want to set up TLS for Kibana as well.

Best,
Oleg

system · October 9, 2019, 1:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.