Setting up ssl for Windows elasaticsearch, filebeat and kibana

GSCully · January 3, 2018, 1:32am

Looking for help setting up ssl on kibana to elasticsearch help, Using Windows certificates, how do I go about securing the systems?
I can export my root certificate as a cer file or a p7b file, can those be used?
I've tried to export the root and client but elastic didn't like them.
Any ideas?
thanks

I figure once one is working the rest will.

TimV · January 5, 2018, 1:36am

I have moved this to the X-Pack forum as SSL is part of the X-Pack plugin.

TimV · January 5, 2018, 1:45am

Step 1 is to install X-Pack if you haven't already done so.

https://www.elastic.co/guide/en/x-pack/6.1/installing-xpack.html

Note that the security features of X-Pack (including SSL) require a commercial license, but offer a free
30 day trial.

Then you want to follow the SSL/TLS setup guide for Elasticsearch

https://www.elastic.co/guide/en/x-pack/6.1/ssl-tls.html

And the Security guide for Kibana

https://www.elastic.co/guide/en/kibana/6.1/using-kibana-with-security.html

You mention having a "root certificate", which I assume is an existing CA that you wish to use. In that case you should follow the instructions for generating a Certificate Signing Request (CSR).

Please ask if you have any difficulties, SSL setup can get messy, and it's hard to document it precisely for everyone's needs, so we're happy to help if there's a gap in the docs.

GSCully · January 16, 2018, 4:56pm

Thanks, I am trying to use the pem files now, it appears elastic nodes are using it, but it is hard to tell, I tried a Invoke-webrequest but get an ssl error now. using certs generated from certutil.
Invoke-RestMethod http://elastic1:9200/_cluster/health?pretty -Method Get
tried https
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

TimV · January 17, 2018, 6:19am

If you enabled TLS on the HTTP port, using a cert that you created with certutil then you are using an auto generated certificate authority.

By default other software is not going to trust that TLS connection because the certificate is not signed by a trusted certificate authority.

Your options are:

Don't use TLS on the HTTP port
Use a certificate that is signed by a trusted CA (the certutil documentation provides instructions for generating a certificate signing request for that purpose)
Add the autogenerated CA to the trusted store
Or, if you are only going to use other Elastic stack products (Kibana, Beats, etc) to communicate with elasticsearch, you can just not worry about it - each of those products has the ability to configure a custom CA when connecting to ES.

GSCully · January 17, 2018, 5:49pm

Thanks,
I plan on using a valid cert, I just didn't have one handy.
I'll use the self signed ones for the stack com until I'm more familiar with openssl.
After install the ca I can view the stats.

system · February 14, 2018, 5:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.