[SOLVED] Kibana 5.3.0 and SSL for browser requests


(Nicolas Loison) #1

Hello,

Trying to set up SSL connection between browser and kibana does not
work. When activate required parameter server.ssl.certificate and
server.ssl.key in kibana.yml, kibana crashed at startup with any logs.
Certificates have been created with openssl and copied into the configured directories
kibana.yml ssl parameters
server.ssl.enabled: true
server.ssl.certificate: /etc/ssl/certs/kibana.pem
server.ssl.key: /etc/ssl/private/kibana_key.pem

Generation of certificate:

openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
openssl genrsa -out kibana_key.pem 4096
openssl req -new -key kibana_key.pem -out kibana.csr
openssl req -new -key kibana_key.pem -out kibana.csr
openssl x509 -req -days 730 -in kibana.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out kibana.pem

Best regards,
Nico


ELK cluster with x-pack kibana is not working with https
(Felix Stürmer) #2

Hi @nicocolt,

could you try setting logging.verbose: true in the configuration and check if you receive any log output that might give a hint?


(Nicolas Loison) #3

Hi @weltenwort ,

Thanks for your quick answer.
Setting logging.verbose: true gives absolutely no log. Seems kibana crashed before initiate log system.

Let me know,
Best regards,
Nico


(Felix Stürmer) #4

But it starts up normally when you remove the three ssl configuration parameters you mentioned?

Does the user the Kibana server runs as have read access to the certificate files?


(Nicolas Loison) #5

Absolutely right, the server starts normally when those two parameters are commented out. Also, the certificate and the key are owned by the kibana user with these permissions: rw-r--r--

Best regards,
Nico


(Felix Stürmer) #6

Ok, that sounds reasonable. Can you give some detail about the operating system, the way Kibana was installed and how it is started? Are you using the tar.gz, the rpm or the deb? What is the init system used by your OS?


(Nicolas Loison) #7

I use kibana 5.3.0 with docker image from here: https://github.com/spujadas/elkx-docker (which is an image that contains an ELK stack on 5.3 with x-pack 5.3). Note that the issue is exactly the same without x-pack.

So kibana is installed from tar.gz: kibana-5.3.0-linux-x86_64.tar.gz and the service is started with service kibana start

What type of other information will be useful for you ?

Let me know,
Best regards,
Nico.


(Felix Stürmer) #8

The unofficial docker image you're using is quite difficult to debug. On first sight I would say that it does not properly capture the stdout and stderr of the Kibana process, which is where fatal errors during startup might show up. You might be able to get a glance at the error message by running only Kibana as in:

$ docker run --rm sebp/elkx:530 /opt/kibana/bin/kibana

You probably have to modify this to include your mounted config files and environment variables.


(Nicolas Loison) #9

Hi @weltenwort,

Thanks for this update. Found the issue. There was a passphrase in the private key.

But now, if I start kibana by service kibana start, it fails, but if i start kibana with /opt/kibana/bin/kibana, it works

If I comment out the three parameters, then it works. So I don't understand why it does not works with service kibana start when ssl is activated

Let me know,
Best regards,
Nico


(Felix Stürmer) #10

Good to hear you are making progress. Looks like the init script starts Kibana as the kibana user. If you mount your certificates into the container, make sure their owner maps to the correct kibana user inside the container. The docker run line I proposed runs it as root, which is why no permission problems will become apparent there.


(Nicolas Loison) #11

You're right, init script is starting with kibana user.

Does kibana user be in a specific group ? Because chown the certificate and the keys to kibana:kibana, does not resolve the issue.

Best regards,
Nico


(Felix Stürmer) #12

The init script looks like it runs it as kibana:kibana. Maybe run

$ docker run --rm ${YOUR_MOUNTS} -i -t sebp/elkx:530 bash

to interactively inspect the container and check that the files really have the correct permissions. Then try running

$ docker run --rm ${YOUR_MOUNTS} --user kibana:kibana sebp/elkx:530 /opt/kibana/bin/kibana

to see if Kibana starts when run as that user.


(Nicolas Loison) #13

Got it @weltenwort !

It was a permission issue at the directory path containing the certificate. Just move the cert and key to a directory belonging to kibana user solves the problem.

Thanks a lot for your clarification and help !

Best regards,
Nico


(Felix Stürmer) #14

Good to know, thanks for letting us know what the reason was. :thumbsup:


(system) #15

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.