[SOLVED] Kibana 5.3.0 and SSL for browser requests

nicocolt · May 9, 2017, 9:16am

Hello,

Trying to set up SSL connection between browser and kibana does not
work. When activate required parameter server.ssl.certificate and
server.ssl.key in kibana.yml, kibana crashed at startup with any logs.
Certificates have been created with openssl and copied into the configured directories
kibana.yml ssl parameters
server.ssl.enabled: true
server.ssl.certificate: /etc/ssl/certs/kibana.pem
server.ssl.key: /etc/ssl/private/kibana_key.pem

Generation of certificate:

openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
openssl genrsa -out kibana_key.pem 4096
openssl req -new -key kibana_key.pem -out kibana.csr
openssl req -new -key kibana_key.pem -out kibana.csr
openssl x509 -req -days 730 -in kibana.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out kibana.pem

Best regards,
Nico

weltenwort · May 9, 2017, 10:58am

Hi @nicocolt,

could you try setting logging.verbose: true in the configuration and check if you receive any log output that might give a hint?

nicocolt · May 9, 2017, 12:47pm

Hi @weltenwort ,

Thanks for your quick answer.
Setting logging.verbose: true gives absolutely no log. Seems kibana crashed before initiate log system.

Let me know,
Best regards,
Nico

weltenwort · May 9, 2017, 12:57pm

But it starts up normally when you remove the three ssl configuration parameters you mentioned?

Does the user the Kibana server runs as have read access to the certificate files?

nicocolt · May 9, 2017, 1:00pm

Absolutely right, the server starts normally when those two parameters are commented out. Also, the certificate and the key are owned by the kibana user with these permissions: rw-r--r--

Best regards,
Nico

weltenwort · May 9, 2017, 2:51pm

Ok, that sounds reasonable. Can you give some detail about the operating system, the way Kibana was installed and how it is started? Are you using the tar.gz, the rpm or the deb? What is the init system used by your OS?

nicocolt · May 9, 2017, 3:12pm

I use kibana 5.3.0 with docker image from here: https://github.com/spujadas/elkx-docker (which is an image that contains an ELK stack on 5.3 with x-pack 5.3). Note that the issue is exactly the same without x-pack.

So kibana is installed from tar.gz: kibana-5.3.0-linux-x86_64.tar.gz and the service is started with service kibana start

What type of other information will be useful for you ?

Let me know,
Best regards,
Nico.

weltenwort · May 9, 2017, 5:58pm

The unofficial docker image you're using is quite difficult to debug. On first sight I would say that it does not properly capture the stdout and stderr of the Kibana process, which is where fatal errors during startup might show up. You might be able to get a glance at the error message by running only Kibana as in:

$ docker run --rm sebp/elkx:530 /opt/kibana/bin/kibana

You probably have to modify this to include your mounted config files and environment variables.

nicocolt · May 10, 2017, 9:44am

Hi @weltenwort,

Thanks for this update. Found the issue. There was a passphrase in the private key.

But now, if I start kibana by service kibana start, it fails, but if i start kibana with /opt/kibana/bin/kibana, it works

If I comment out the three parameters, then it works. So I don't understand why it does not works with service kibana start when ssl is activated

Let me know,
Best regards,
Nico

weltenwort · May 10, 2017, 9:53am

Good to hear you are making progress. Looks like the init script starts Kibana as the kibana user. If you mount your certificates into the container, make sure their owner maps to the correct kibana user inside the container. The docker run line I proposed runs it as root, which is why no permission problems will become apparent there.

nicocolt · May 10, 2017, 10:04am

You're right, init script is starting with kibana user.

Does kibana user be in a specific group ? Because chown the certificate and the keys to kibana:kibana, does not resolve the issue.

Best regards,
Nico

weltenwort · May 10, 2017, 10:15am

The init script looks like it runs it as kibana:kibana. Maybe run

$ docker run --rm ${YOUR_MOUNTS} -i -t sebp/elkx:530 bash

to interactively inspect the container and check that the files really have the correct permissions. Then try running

$ docker run --rm ${YOUR_MOUNTS} --user kibana:kibana sebp/elkx:530 /opt/kibana/bin/kibana

to see if Kibana starts when run as that user.

nicocolt · May 10, 2017, 12:21pm

Got it @weltenwort !

It was a permission issue at the directory path containing the certificate. Just move the cert and key to a directory belonging to kibana user solves the problem.

Thanks a lot for your clarification and help !

Best regards,
Nico

weltenwort · May 10, 2017, 12:27pm

Good to know, thanks for letting us know what the reason was.

system · June 7, 2017, 12:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.