Setting up ssl for Windows elasaticsearch, filebeat and kibana

(Greg Sullivan) #1

Looking for help setting up ssl on kibana to elasticsearch help, Using Windows certificates, how do I go about securing the systems?
I can export my root certificate as a cer file or a p7b file, can those be used?
I've tried to export the root and client but elastic didn't like them.
Any ideas?

I figure once one is working the rest will.

(Tim Vernum) #2

I have moved this to the X-Pack forum as SSL is part of the X-Pack plugin.

(Tim Vernum) #3

Step 1 is to install X-Pack if you haven't already done so.

Note that the security features of X-Pack (including SSL) require a commercial license, but offer a free
30 day trial.

Then you want to follow the SSL/TLS setup guide for Elasticsearch

And the Security guide for Kibana

You mention having a "root certificate", which I assume is an existing CA that you wish to use. In that case you should follow the instructions for generating a Certificate Signing Request (CSR).

Please ask if you have any difficulties, SSL setup can get messy, and it's hard to document it precisely for everyone's needs, so we're happy to help if there's a gap in the docs.

(Greg Sullivan) #4

Thanks, I am trying to use the pem files now, it appears elastic nodes are using it, but it is hard to tell, I tried a Invoke-webrequest but get an ssl error now. using certs generated from certutil.
Invoke-RestMethod http://elastic1:9200/_cluster/health?pretty -Method Get
tried https
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

(Tim Vernum) #5

If you enabled TLS on the HTTP port, using a cert that you created with certutil then you are using an auto generated certificate authority.

By default other software is not going to trust that TLS connection because the certificate is not signed by a trusted certificate authority.

Your options are:

  • Don't use TLS on the HTTP port
  • Use a certificate that is signed by a trusted CA (the certutil documentation provides instructions for generating a certificate signing request for that purpose)
  • Add the autogenerated CA to the trusted store
  • Or, if you are only going to use other Elastic stack products (Kibana, Beats, etc) to communicate with elasticsearch, you can just not worry about it - each of those products has the ability to configure a custom CA when connecting to ES.

(Greg Sullivan) #6

I plan on using a valid cert, I just didn't have one handy.
I'll use the self signed ones for the stack com until I'm more familiar with openssl.
After install the ca I can view the stats.

(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.