Kibana6.7.0 ssl client connection error


(Yungyoung Ok) #1

kibana.yml
server.host: "IPADDRESS"
server.name: "IPADDRESS"

xpack.security.enabled: true
elasticsearch.username: "kibana"
elasticsearch.password: "password"

server.ssl.enabled: true
server.ssl.certificate: /path/to/certificate/es-demo/es-demo.crt
server.ssl.key: /path/to/certificate/es-demo/es-demo.key

I tried to create certificate with elasticsearch-certutil, elasticsearch-certgen, but the same error occurs.
like this..

$ES_HOME/bin/elasticsearch-certgen

$ES_HOME/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --pem --ip IPADDRESS --out kibana-cert.zip --ca-dn CN=IPADDRESS

What more settings do I need?


Kibana6.7.0 ssl 설정 에러 문의
(Larry Gregory) #2

Hey @Yungyoung_Ok,

Are you connecting to Elasticsearch over https? If so, you need to make sure that certificate is trusted by Kibana. If a custom CA was used for that certificate, then you'll need to set elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ] as well.

If not, then I have a few more questions:

When is this error appearing in the logs? Are there any other errors?

Does Kibana function despite these errors, either partially or fully?

Is Elasticsearch configured to require a client certificate?


(Yungyoung Ok) #3

Yes, I set elasticsearch.ssl.certificateAuthorities just like the above guide.
elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.cer" ]

With this setting, both the ElasticSearch and Kibana functions well.

This error occurs when setting kibana ssl.

No other errors will occur.


(Larry Gregory) #4

Can you set logging.verbose: true in your kibana.yml, restart Kibana, and post the complete log file?


(Yungyoung Ok) #5

Here is kibana log






※ The certificate was created using elasticsearch-certutil.


(Larry Gregory) #6

Thanks for posting. Nothing else seems out of the ordinary to me here.

Is your client (browser) also configured to send a client certificate? We've seen similar errors in the past when the browser tries to send a client certificate, but Kibana isn't expecting one. Which browser are you using to connect to Kibana?


(Yungyoung Ok) #7

Browser is chrome and internet explorer11.

When working on another server, I have not set anything else in my browser,
Is there anything else I need to set up in my browser for certificate authentication?


(Larry Gregory) #8

No. Kibana does not support client certificates at this time, so I wanted to make sure you weren't trying to implement that. I could see that being a potential cause for the SSL errors you are seeing.

I'm not sure what else could be the problem here... @Brandon_Kobel sorry for the ping, do you have any thoughts on what I might have missed?


(Brandon Kobel) #9

Nothing jumps out off-hand. Would you mind sharing your full kibana.yml (redacting sensitive information) @Yungyoung_Ok?


(Yungyoung Ok) #10

sure.
here is kibana.yml

server.port: 5615
server.host: "kibana server ip"
server.name: "kibana server ip"

elasticsearch.hosts: ["elasticsearch server ip:port"]

xpack.security.enabled: true
elasticsearch.username: "kibana"
elasticsearch.password: "password"

server.ssl.enabled: true
server.ssl.certificate: /path/to/certs/instance/instance.crt
server.ssl.key: /path/to/certs/instance/instance.key

elasticsearch.ssl.certificateAuthorities: [ "/path/to/elasticsearch/certs/client/client-ca.cer" ]

logging.verbose: true

--- here is elasticsearch config ---

network.host: elasticsearch server ip
http.port: http port
transport.port: tcp port

discovery.zen.hosts_provider: file
discovery.zen.minimum_master_nodes: 1

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: path/to/certs/oknode-1.p12
xpack.security.transport.ssl.truststore.path: path/to/certs/oknode-1.p12

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: path/to/certs/oknode-1.p12
xpack.security.http.ssl.truststore.path: path/to/certs/oknode-1.p12
xpack.security.http.ssl.client_authentication: optional
xpack.security.authc.realms.pki1.type: pki

※ All certificates were created using the elasticsearch-certutil command.
This is the site I referenced.

※I also tested with the elasticsearch-certgen command,
There was no problem with kibana 6.5.4, but the same problem occurred with kibana 6.7.0.


(Brandon Kobel) #11

Very interesting, nothing pops out from your kibana.yml.

Are you seeing these errors logged as soon as you go to Kibana's home-page?


(Yungyoung Ok) #12

yes.
When i connect with a kibana url, the error immediately occurs.


(Brandon Kobel) #13

Hey @Yungyoung_Ok, when you go to Kibana, are you seeing a warning about the certificate not being trusted, similar to the following:


(Yungyoung Ok) #14

I have created a certificate with the elasticsearch-certutil command. Should I not use this certificate in a kibana?


(Brandon Kobel) #15

@Yungyoung_Ok you can definitely use the certificates created by elasticsearch-certutil in Kibana. In my testing, I'm seeing this error logged when connecting using a certificate that the browser doesn't trust, and you proceed anyway with the warnings. In this situation, that log message can be ignored, I've created https://github.com/elastic/kibana/issues/35004 to improve the logging experience in these situations.


(Yungyoung Ok) #16

thanks!