Kibana6.7.0 ssl client connection error

Elastic Stack Kibana
1

image
image.png859×79 1.76 KB

kibana.yml
server.host: "IPADDRESS"
server.name: "IPADDRESS"

xpack.security.enabled: true
elasticsearch.username: "kibana"
elasticsearch.password: "password"

server.ssl.enabled: true
server.ssl.certificate: /path/to/certificate/es-demo/es-demo.crt
server.ssl.key: /path/to/certificate/es-demo/es-demo.key

I tried to create certificate with elasticsearch-certutil, elasticsearch-certgen, but the same error occurs.
like this..

$ES_HOME/bin/elasticsearch-certgen

$ES_HOME/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --pem --ip IPADDRESS --out kibana-cert.zip --ca-dn CN=IPADDRESS

What more settings do I need?

2

Hey @Yungyoung_Ok,

Are you connecting to Elasticsearch over https? If so, you need to make sure that certificate is trusted by Kibana. If a custom CA was used for that certificate, then you'll need to set elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ] as well.

If not, then I have a few more questions:

When is this error appearing in the logs? Are there any other errors?

Does Kibana function despite these errors, either partially or fully?

Is Elasticsearch configured to require a client certificate?

3

Yes, I set elasticsearch.ssl.certificateAuthorities just like the above guide.
elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.cer" ]

With this setting, both the ElasticSearch and Kibana functions well.

This error occurs when setting kibana ssl.

No other errors will occur.

4

Can you set logging.verbose: true in your kibana.yml, restart Kibana, and post the complete log file?

5

Here is kibana log

image
image.png1417×751 366 KB

image
image.png1331×817 353 KB

image
image.png1433×818 394 KB

image
image.png1295×818 322 KB

image
image.png1177×820 180 KB

image
image.png1392×785 328 KB

※ The certificate was created using elasticsearch-certutil.

6

Thanks for posting. Nothing else seems out of the ordinary to me here.

Is your client (browser) also configured to send a client certificate? We've seen similar errors in the past when the browser tries to send a client certificate, but Kibana isn't expecting one. Which browser are you using to connect to Kibana?

7

Browser is chrome and internet explorer11.

When working on another server, I have not set anything else in my browser,
Is there anything else I need to set up in my browser for certificate authentication?

8

No. Kibana does not support client certificates at this time, so I wanted to make sure you weren't trying to implement that. I could see that being a potential cause for the SSL errors you are seeing.

I'm not sure what else could be the problem here... @Brandon_Kobel sorry for the ping, do you have any thoughts on what I might have missed?

9

Nothing jumps out off-hand. Would you mind sharing your full kibana.yml (redacting sensitive information) @Yungyoung_Ok?

10

sure.
here is kibana.yml

server.port: 5615
server.host: "kibana server ip"
server.name: "kibana server ip"

elasticsearch.hosts: ["elasticsearch server ip:port"]

xpack.security.enabled: true
elasticsearch.username: "kibana"
elasticsearch.password: "password"

server.ssl.enabled: true
server.ssl.certificate: /path/to/certs/instance/instance.crt
server.ssl.key: /path/to/certs/instance/instance.key

elasticsearch.ssl.certificateAuthorities: [ "/path/to/elasticsearch/certs/client/client-ca.cer" ]

logging.verbose: true

--- here is elasticsearch config ---

network.host: elasticsearch server ip
http.port: http port
transport.port: tcp port

discovery.zen.hosts_provider: file
discovery.zen.minimum_master_nodes: 1

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: path/to/certs/oknode-1.p12
xpack.security.transport.ssl.truststore.path: path/to/certs/oknode-1.p12

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: path/to/certs/oknode-1.p12
xpack.security.http.ssl.truststore.path: path/to/certs/oknode-1.p12
xpack.security.http.ssl.client_authentication: optional
xpack.security.authc.realms.pki1.type: pki

※ All certificates were created using the elasticsearch-certutil command.
This is the site I referenced.

※I also tested with the elasticsearch-certgen command,
There was no problem with kibana 6.5.4, but the same problem occurred with kibana 6.7.0.

11

Very interesting, nothing pops out from your kibana.yml.

Are you seeing these errors logged as soon as you go to Kibana's home-page?

12

yes.
When i connect with a kibana url, the error immediately occurs.

13

Hey @Yungyoung_Ok, when you go to Kibana, are you seeing a warning about the certificate not being trusted, similar to the following:

04%20AM
Screen Shot 2019-04-12 at 8.47.04 AM.png1566×1242 63.3 KB

08%20AM
Screen Shot 2019-04-12 at 8.47.08 AM.png1000×84 11 KB

14

I have created a certificate with the elasticsearch-certutil command. Should I not use this certificate in a kibana?

15

@Yungyoung_Ok you can definitely use the certificates created by elasticsearch-certutil in Kibana. In my testing, I'm seeing this error logged when connecting using a certificate that the browser doesn't trust, and you proceed anyway with the warnings. In this situation, that log message can be ignored, I've created https://github.com/elastic/kibana/issues/35004 to improve the logging experience in these situations.

16

thanks!

17

If you use the elasticseach-certutil certificate in kibana 6.7, do I have to leave a error message? Can I make it invisible?

In addition, the https.ssl setting does not login to additional users, except for users reserved by kibana (ex elastic, kibana).
No special logs are left, only called invalid username or password in Kibana.
However, the user name and password are clearly correct. Is there any other permission or authentication required for the user to login?

18

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.