Secure browser to kibana

I'm following this documentation page for securing communications between the browser and kibana. I'm a little confused as the documentation suggests createing a csr while later in the line ( and in kibana.yml) it expects a crt: https://i.imgur.com/8Dbdwnx.png

What I did is I ran this command:

 bin/elasticsearch-certutil csr -name kibana-server -dns elk.companyname.net

And in kibana.yml I added:

server.ssl.enabled: true
server.ssl.certificate: /usr/share/elasticsearch/kibana-server/kibana-server.csr
server.ssl.key: /usr/share/elasticsearch/kibana-server/kibana-server.key

Then: systemctl restart kibana

But in the browser when I enter https://elk.companyname.net or https://elk.companyname.net:5601 it doesn't work, even though I made sure dns points correcntly.

Does anyone know what's wrong? Is it because of the csr/crt missmatch? Thanks ahead!

Hi @headtea. We have a detailed blog post for setting up security with Elasticsearch and Kibana which you might find useful.

Thank you for the response,

I've read it and couldn't find the part where kibana is secured because in the docs it says to enable server.ssl.certificate in kibana.yml.

I'm a little confused as it the command in the docs suggest:

bin/elasticsearch-certutil csr -name kibana-server -dns some-website.com,www.some-website.com

creates a .csr file while it seems like it expects an .crt?

I've discovered that I need to create an .crt and .key from the new .csr I have. Only thing is, even after looking at the elasticsearch-certutil documentation I'm just not sure what parameters to use. All the files and clusters are located on one machine.

EDIT: SOLVED:

Literally just took our company's .crt and .key from another server. scp'd it locally to a directory that is open for everyone, gave it 777 permissions, chown'd it to kibana:kibana and in kibana.yml:

server.ssl.enabled: true
server.ssl.certificate: /etc/elk/2020_companyname.crt
server.ssl.key: /etc/elk/wildcardcompanyname.key
1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.