Metric won't setup because of bad certificates

Klheik · February 22, 2024, 1:42pm

Hi,
I have a debian 11 install on a server, i am using the ELK satck with the 7.17 version and Elasticsearch, Logstash, Filebeat and kibana are installa and configure and works perfectly when it's about monitoring log files. Kibana is secured in https and now i would like to add metric to monitor my server healt. But when i exec "sudo metricbeat setup -e" i have 1 error :

< Loading dashboards (Kibana must be running and reachable)
2024-02-22T14:17:12.949+0100    INFO    kibana/client.go:180    Kibana url: https://localhost:8492
2024-02-22T14:17:12.977+0100    ERROR   instance/beat.go:1027   Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://localhost:8492/api/status fails: fail to execute the HTTP GET request: Get "https://localhost:8492/api/status": x509: certificate signed by unknown authority. Response: .
Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://localhost:8492/api/status fails: fail to execute the HTTP GET request: Get "https://localhost:8492/api/status": x509: certificate signed by unknown authority. Response: .

metric conf file :

image689×644 14.7 KB

elasticsearch, filebeat and logstash are not secured in TLS beacause they all are in local but kibana is accesible remotly so i use openssl to secure it.

Can someone help me to figure this out ?

Thanks !!

leandrojmp · February 22, 2024, 1:51pm

In the certificate_authorities configuration you need to put the certificate for the CA that you used to create the Kibana certificate, it seems that you put the kibana certificate instead.

Klheik · February 22, 2024, 2:16pm

I'm sorry, i am not good in the ssl domain. Can you explain me the difference and where can i find it then ?
Thanks a lot

leandrojmp · February 22, 2024, 2:31pm

How did you create those certificates?

First you need a CA, which is a Certificate Authority, then you use this CA to create the certificate and keys.

The error means that the certificate in your Kibana was signed by an unknown authority (a CA), then you need to have this CA in the configuration.

Klheik · February 22, 2024, 2:33pm

I created the certificates with openssl but i really don't remember any CA, maybe they are store in a default dir. Do you know, by any chance, where it can be ?

leandrojmp · February 22, 2024, 2:36pm

Unfortunately no, but how you create it? Which commands?

Openssl will only create the files you tell it to create.

Klheik · February 22, 2024, 2:39pm

I did this like 2 months ago so i really don't remember but i will search, is there a chance i can maybe just generate again the certificates ? If not i will just look for it.

Thanks again !!

Klheik · February 22, 2024, 3:33pm

Can't i just "bypass" the error message ? Can i just skip the verification process ?

leandrojmp · February 22, 2024, 4:09pm

Looking at your config now it seems wrong.

You have setup.kibana: and then you also have setup.kibana again nested under it.

Try to remove the extra setup.kibana from all the ssl settings.

Klheik · February 23, 2024, 8:34am

this is the new conf file :

setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
   host: "https://localhost:8492"
   ssl.enabled: true
   ssl.certificate: /etc/kibana/kibana.crt
   ssl.key: /etc/kibana/kibana.key
   ssl.certificate_authorities: /etc/kibana/kibana.crt
   ssl.supportedProtocols: ["TLSv1.2"]
#   setup.kibana.ssl.verification_mode: none

And this is the new error :

Loading dashboards (Kibana must be running and reachable)
2024-02-23T09:32:29.458+0100    WARN    [cfgwarn]       tlscommon/config.go:100 DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0
2024-02-23T09:32:29.460+0100    INFO    kibana/client.go:180    Kibana url: https://localhost:8492
2024-02-23T09:32:29.464+0100    ERROR   instance/beat.go:1027   Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://localhost:8492/api/status fails: fail to execute the HTTP GET request: Get "https://localhost:8492/api/status": x509: certificate is not valid for any names, but wanted to match localhost. Response: .
Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://localhost:8492/api/status fails: fail to execute the HTTP GET request: Get "https://localhost:8492/api/status": x509: certificate is not valid for any names, but wanted to match localhost. Response: .

I checked a little and it seems like my CA wasnt store, i just generated it with openssl to be able to generate the keys.

Klheik · February 23, 2024, 8:37am

and if just remove the "https://" in the metric conf file for kibana and i just use "localhost:8492" i have an other error message :

Loading dashboards (Kibana must be running and reachable)
2024-02-23T09:36:29.512+0100    WARN    [cfgwarn]       tlscommon/config.go:100 DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0
2024-02-23T09:36:29.514+0100    INFO    kibana/client.go:180    Kibana url: http://localhost:8492
2024-02-23T09:36:29.519+0100    ERROR   instance/beat.go:1027   Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://localhost:8492/api/status fails: fail to execute the HTTP GET request: Get "http://localhost:8492/api/status": EOF. Response: .
Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://localhost:8492/api/status fails: fail to execute the HTTP GET request: Get "http://localhost:8492/api/status": EOF. Response: .

leandrojmp · February 23, 2024, 12:35pm

Add this back, as this should make metricbeat ignore the certificate errors.

But add this as ssl.verification_mode: none, without the redundant setup.kibana.

Klheik · February 23, 2024, 1:38pm

Ok that's amazing it worked, thank you a lot man really but i have 2 questions ahah.
First, is it normal that my metric beat isnt giving info like i have some info just when i type metricbeat setup and i would like info all the time not type it and then watch on kibana.
And ths second one, disable the tls verification mode is going to be a security problem ? Like does it create some issues with the security of my server ?

Thanks a lot !!

leandrojmp · February 23, 2024, 1:55pm

Can you give more context on this? It is not clear wht you want, what kind of info? metricbeat setup will just setup the dashboards and ingest pipelines in Kibana.

This disable the verification on metricbeat side, it affects only the client.

But you already have a bigger security issue because as you mentioned you disabled TLS in Elasticsearch as well, also, from what you shared is not clear if you are using authentication or not.

Klheik · February 23, 2024, 2:01pm

I have every modules as elasticsearch logstash beats and kibana on the same server so i just enanled the authentification and enabled tls encryption for kibana because it can be acces remotly.
For metricbeat i just want my server's health in the kibana interface but it seems like i can't unless i just type the command and i would like to have my server health accessible automatically.
I am sorry if this is not clear but english isn't my native langage.

system · March 22, 2024, 4:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.