Kibana6.7.0 ssl client connection error

(Yungyoung Ok) #1

kibana.yml "IPADDRESS" "IPADDRESS" true
elasticsearch.username: "kibana"
elasticsearch.password: "password"

server.ssl.enabled: true
server.ssl.certificate: /path/to/certificate/es-demo/es-demo.crt
server.ssl.key: /path/to/certificate/es-demo/es-demo.key

I tried to create certificate with elasticsearch-certutil, elasticsearch-certgen, but the same error occurs.
like this..


$ES_HOME/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --pem --ip IPADDRESS --out --ca-dn CN=IPADDRESS

What more settings do I need?

Kibana6.7.0 ssl 설정 에러 문의
(Larry Gregory) #2

Hey @Yungyoung_Ok,

Are you connecting to Elasticsearch over https? If so, you need to make sure that certificate is trusted by Kibana. If a custom CA was used for that certificate, then you'll need to set elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ] as well.

If not, then I have a few more questions:

When is this error appearing in the logs? Are there any other errors?

Does Kibana function despite these errors, either partially or fully?

Is Elasticsearch configured to require a client certificate?

(Yungyoung Ok) #3

Yes, I set elasticsearch.ssl.certificateAuthorities just like the above guide.
elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.cer" ]

With this setting, both the ElasticSearch and Kibana functions well.

This error occurs when setting kibana ssl.

No other errors will occur.

(Larry Gregory) #4

Can you set logging.verbose: true in your kibana.yml, restart Kibana, and post the complete log file?

(Yungyoung Ok) #5

Here is kibana log

※ The certificate was created using elasticsearch-certutil.

(Larry Gregory) #6

Thanks for posting. Nothing else seems out of the ordinary to me here.

Is your client (browser) also configured to send a client certificate? We've seen similar errors in the past when the browser tries to send a client certificate, but Kibana isn't expecting one. Which browser are you using to connect to Kibana?

(Yungyoung Ok) #7

Browser is chrome and internet explorer11.

When working on another server, I have not set anything else in my browser,
Is there anything else I need to set up in my browser for certificate authentication?

(Larry Gregory) #8

No. Kibana does not support client certificates at this time, so I wanted to make sure you weren't trying to implement that. I could see that being a potential cause for the SSL errors you are seeing.

I'm not sure what else could be the problem here... @Brandon_Kobel sorry for the ping, do you have any thoughts on what I might have missed?

(Brandon Kobel) #9

Nothing jumps out off-hand. Would you mind sharing your full kibana.yml (redacting sensitive information) @Yungyoung_Ok?

(Yungyoung Ok) #10

here is kibana.yml

server.port: 5615 "kibana server ip" "kibana server ip"

elasticsearch.hosts: ["elasticsearch server ip:port"] true
elasticsearch.username: "kibana"
elasticsearch.password: "password"

server.ssl.enabled: true
server.ssl.certificate: /path/to/certs/instance/instance.crt
server.ssl.key: /path/to/certs/instance/instance.key

elasticsearch.ssl.certificateAuthorities: [ "/path/to/elasticsearch/certs/client/client-ca.cer" ]

logging.verbose: true

--- here is elasticsearch config --- elasticsearch server ip
http.port: http port
transport.port: tcp port

discovery.zen.hosts_provider: file
discovery.zen.minimum_master_nodes: 1 true true certificate path/to/certs/oknode-1.p12 path/to/certs/oknode-1.p12 true path/to/certs/oknode-1.p12 path/to/certs/oknode-1.p12 optional pki

※ All certificates were created using the elasticsearch-certutil command.
This is the site I referenced.

※I also tested with the elasticsearch-certgen command,
There was no problem with kibana 6.5.4, but the same problem occurred with kibana 6.7.0.

(Brandon Kobel) #11

Very interesting, nothing pops out from your kibana.yml.

Are you seeing these errors logged as soon as you go to Kibana's home-page?

(Yungyoung Ok) #12

When i connect with a kibana url, the error immediately occurs.

(Brandon Kobel) #13

Hey @Yungyoung_Ok, when you go to Kibana, are you seeing a warning about the certificate not being trusted, similar to the following:

(Yungyoung Ok) #14

I have created a certificate with the elasticsearch-certutil command. Should I not use this certificate in a kibana?

(Brandon Kobel) #15

@Yungyoung_Ok you can definitely use the certificates created by elasticsearch-certutil in Kibana. In my testing, I'm seeing this error logged when connecting using a certificate that the browser doesn't trust, and you proceed anyway with the warnings. In this situation, that log message can be ignored, I've created to improve the logging experience in these situations.

(Yungyoung Ok) #16