Setting up TLS

Craig2188 · November 10, 2020, 12:38pm

Hi,
I am trying to set up TLS encryption for accessing Kibana internally.
I am trying to follow the following article: Setting up TLS on a cluster | Elasticsearch Reference [7.9] | Elastic

On the first step in creating the X.509 certificate, I am struggling to run the following options, as I need to include the FQDN and IP address of the server in the certificate:

If you want to use hostname verification within your cluster, run the elasticsearch-certutil cert command once for each of your nodes and provide the --name , --dns and --ip options.

When I run the following command, it gives me an error, so not really sure if I am running it correctly:

`elasticsearch-certutil.bat cert --ca --name FQDN.local --dns FQDN.local --ip 10.10.10.10 elastic-ca.p12`

I am getting the following error:

Enter password for CA (--name) : I ENTER CA PASSWORD HERE
Exception in thread "main" java.nio.file.NoSuchFileException: --name
        at java.base/sun.nio.fs.WindowsException.translateToIOException(WindowsException.java:85)
        at java.base/sun.nio.fs.WindowsException.rethrowAsIOException(WindowsException.java:103)
        at java.base/sun.nio.fs.WindowsException.rethrowAsIOException(WindowsException.java:108)
        at java.base/sun.nio.fs.WindowsFileSystemProvider.newByteChannel(WindowsFileSystemProvider.java:235)
        at java.base/java.nio.file.Files.newByteChannel(Files.java:375)
        at java.base/java.nio.file.Files.newByteChannel(Files.java:426)
        at java.base/java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420)
        at java.base/java.nio.file.Files.newInputStream(Files.java:160)
        at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readKeyStore(CertParsingUtils.java:72)
        at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readKeyPairsFromKeystore(CertParsingUtils.java:141)
        at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readPkcs12KeyPairs(CertParsingUtils.java:134)
        at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.lambda$loadPkcs12CA$1(CertificateTool.java:342)
        at org.elasticsearch.xpack.security.cli.CertificateTool.withPassword(CertificateTool.java:933)
        at org.elasticsearch.xpack.security.cli.CertificateTool.access$100(CertificateTool.java:85)
        at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.loadPkcs12CA(CertificateTool.java:341)
        at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.getCAInfo(CertificateTool.java:329)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.execute(CertificateTool.java:685)
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127)
        at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:91)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127)
        at org.elasticsearch.cli.Command.main(Command.java:90)
        at org.elasticsearch.xpack.security.cli.CertificateTool.main(CertificateTool.java:137)

D:\Elastic\Elastic-7.9.2\7.9.2\bin>

Any help would be greatly appreciated. Thanks

TimV · November 11, 2020, 1:54am

Can you clarify what you mean here?

The step you seem to be performing is to generate certificates for your nodes to use when they connect to one another. That's important, but it doesn't have anything to do with Kibana. It's possible (depending on your circumstances) that you're making this step harder than it needs to be. For example, you are electing to generate a certificate per node, which is a fine thing to do, but it's harder, and isn't really necessary for the task that I think you're actually trying to do.

The --ca option needs an argument that is the PKCS#12 file that contains your CA.
So your command line should be:

elasticsearch-certutil.bat cert --ca elastic-ca.p12 --name FQDN.local --dns FQDN.local --ip 10.10.10.10

Craig2188 · November 11, 2020, 7:36am

So my aim is to just secure the connections to the Kibana portal so that when logging into it, passwords are not plain text... I presume this is not correct then

system · December 9, 2020, 7:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.