Secure browser to kibana

Elastic Stack Kibana
1

I'm following this documentation page for securing communications between the browser and kibana. I'm a little confused as the documentation suggests createing a csr while later in the line ( and in kibana.yml) it expects a crt: https://i.imgur.com/8Dbdwnx.png

What I did is I ran this command:

 bin/elasticsearch-certutil csr -name kibana-server -dns elk.companyname.net

And in kibana.yml I added:

server.ssl.enabled: true
server.ssl.certificate: /usr/share/elasticsearch/kibana-server/kibana-server.csr
server.ssl.key: /usr/share/elasticsearch/kibana-server/kibana-server.key

Then: systemctl restart kibana

But in the browser when I enter https://elk.companyname.net or https://elk.companyname.net:5601 it doesn't work, even though I made sure dns points correcntly.

Does anyone know what's wrong? Is it because of the csr/crt missmatch? Thanks ahead!

2

Hi @headtea. We have a detailed blog post for setting up security with Elasticsearch and Kibana which you might find useful.

3

Thank you for the response,

I've read it and couldn't find the part where kibana is secured because in the docs it says to enable server.ssl.certificate in kibana.yml.

I'm a little confused as it the command in the docs suggest:

bin/elasticsearch-certutil csr -name kibana-server -dns some-website.com,www.some-website.com

creates a .csr file while it seems like it expects an .crt?

4

I've discovered that I need to create an .crt and .key from the new .csr I have. Only thing is, even after looking at the elasticsearch-certutil documentation I'm just not sure what parameters to use. All the files and clusters are located on one machine.

5

EDIT: SOLVED:

Literally just took our company's .crt and .key from another server. scp'd it locally to a directory that is open for everyone, gave it 777 permissions, chown'd it to kibana:kibana and in kibana.yml:

server.ssl.enabled: true
server.ssl.certificate: /etc/elk/2020_companyname.crt
server.ssl.key: /etc/elk/wildcardcompanyname.key
1 Like
6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.