SSL Cert with own CA for Https-Use

dauwitsch · October 31, 2018, 9:28am

Hey there,

i try to use ssl for kibana to request it over https via webbrowser. My company wants to use a selfsigned certificate for this and wants also to use its own Certification Authority (CA).
I did the following for this to get it running.

I created a docker-compose.yml file to get the kibana container running:

version: '3.6'
    services:
      kibana:
        image: docker.elastic.co/kibana/kibana:6.4.2
        container_name: kibana
        volumes:
          - ${PWD}/kibana/config/certs/kibana.crt:/usr/share/kibana/config/kibana.crt
         - ${PWD}/kibana/config/certs/kibana.key:/usr/share/kibana/config/kibana.key
          - ${PWD}/kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml
        environment:
           ELASTICSEARCH_URL: "http://192.168.70.196:9200"
        ports: ["5601:5601"]

My kibana.yml has the entries to enable ssl:

server.ssl.enabled: true
    server.ssl.certificate: "/usr/share/kibana/config/kibana.crt"
    server.ssl.key: "/usr/share/kibana/config/kibana.key"

The elasticsearch-service is also running via docker (but not allready in the compose file).

I created the ca and certs with the elasticsearch-certutil by the following commands on my local machine after downloading and unpacking the elasticsearch-6.4.3.tar.gz:

mkdir elkstack_certs
cd elkstack_certs
elasticsearch-6.4.2/bin/elasticsearch-certutil ca --pem
touch kibana.yml

Inserted the following into my kibana.yml for the creation of my signed cert and private key:

instances:
  - name: "kibana"
    ip:
      - "192.168.70.196"
    dns:
      - "xxx.xxx.xxx"

then:

elasticsearch-6.4.2/bin/elasticsearch-certutil cert -ca-cert ca/ca.crt --ca-key ca/ca.key --in kibana.yml --out kibana_test.zip
unzip kibana_test.zip

Then i converteted the kibana.crt to kibana.pem via openssl and copied the kibana.pem and kibana.key to the server where the kibana-service should be running under the path where it should be placed to be copied into the kibana-container on start

When i now start the kibana-container

docker-compose up kibana

i get the following logs shown:

 for Elasticsearch"}
kibana    | {"type":"log","@timestamp":"2018-10-31T08:56:23Z","tags":["status","plugin:graph@6.4.2","info"],"pid":1,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
kibana    | {"type":"log","@timestamp":"2018-10-31T08:56:23Z","tags":["status","plugin:grokdebugger@6.4.2","info"],"pid":1,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
kibana    | {"type":"log","@timestamp":"2018-10-31T08:56:23Z","tags":["status","plugin:logstash@6.4.2","info"],"pid":1,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
kibana    | {"type":"log","@timestamp":"2018-10-31T08:56:23Z","tags":["status","plugin:reporting@6.4.2","info"],"pid":1,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
kibana    | {"type":"log","@timestamp":"2018-10-31T08:56:23Z","tags":["info","monitoring-ui","kibana-monitoring"],"pid":1,"message":"Starting monitoring stats collection"}
kibana    | {"type":"log","@timestamp":"2018-10-31T08:56:23Z","tags":["status","plugin:security@6.4.2","info"],"pid":1,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
kibana    | {"type":"log","@timestamp":"2018-10-31T08:56:23Z","tags":["license","info","xpack"],"pid":1,"message":"Imported license information from Elasticsearch for the [monitoring] cluster: mode: basic | status: active"}
kibana    | {"type":"log","@timestamp":"2018-10-31T08:56:42Z","tags":["info","http","server","listening"],"pid":1,"message":"Server running at https://localhost:5601"}

To test the connection to kibana i copied the ca.cert to the server and converted it to pem-format as curl tells with:

openssl x509 -in ca.crt -out ca.pem -outform PEM

When i now try to connect to kibana with curl:

curl --cacert ca.pem https://localhost:5601

i get the following message:
curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.

In the kibana logs, no entry gets created at that time.

I also added the ca to my browser and try to connect kibana via browser. I get the following response:
ERR_CONNECTION_REFUSED

Any suggestion or help to get this solved would be appriciated.
Thanks in advance

ikakavas · October 31, 2018, 10:24am

Hi there,

You say:

which makes me think you already have a company CA certificate but then you create the CA certificate and key yourself.

elasticsearch-6.4.2/bin/elasticsearch-certutil ca --pem

You say

dauwitsch:

then:
elasticsearch-6.4.2/bin/elasticsearch-certutil cert -ca-cert ca/ca.crt --ca-key ca/ca.key --in kibana.yml --out kibana_test.zip
unzip kibana_test.zip
Then i converteted the kibana.crt to kibana.pem via openssl and copied the kibana.pem and kibana.key to the server where the kibana-service should be running under the path where it should be placed to be copied into the kibana-container on start

however

elasticsearch-6.4.2/bin/elasticsearch-certutil cert -ca-cert ca/ca.crt --ca-key ca/ca.key --in kibana.yml --out kibana_test.zip

will create a single PKCS#12 output file (kibana.p12) which holds the instance certificate, the instance private key, and the CA certificate, and not different files for the instance certificate and the instance key.

Did you export the key and certificate of the instance from the PKCS#12 container ? If so how?
Or did you pass the --pem parameter in the command above ?

As a side note, you don't need to "convert" x.crt to x.pem. .pem and .crt are just file suffixes and both are PEM encoded. ( The .crt certificates that elasticsearch-certuil creates are, at least).

There's a number of reasons you;d get : curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.

Can you share the output of

openssl s_client -connect -CAfile ca.pem localhost:5601
and
curl -vI --cacert ca.pem https://localhost:5601

?

dauwitsch · October 31, 2018, 12:04pm

Hi, thanks for your reply,

My company has no ca at the moment. It is my task to setup elk-stack and test all configuration, including the ca.

The output of openssl s_client -CAfile kibana/config/certs/ca.pem -connect localhost:5601:

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1540987118
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

yes i used the --pem arg when creating the certs (did also post the original commands i used in the ticket)
i converted the kibana.crt to kibana.pem cause in the curl man it tells that it needs to be in pem format

the output of curl -vI --cacert ca.pem https://localhost:5601:

 ubuntuadmin@gitslave1:~/elkstack_docker$ curl -vI --cacert kibana/config/certs/ca.pem https://localhost:5601
* Rebuilt URL to: https://localhost:5601/
*   Trying ::1...
* Connected to localhost (::1) port 5601 (#0)
* found 1 certificates in kibana/config/certs/ca.pem
* found 594 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: The TLS connection was non-properly terminated.
* Closing connection 0
curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.

ikakavas · October 31, 2018, 12:17pm

Hello again,

Ok, I was just checking since the orignal command you pasted did not contain the --pem :

I just wanted to verify that the export from PCKS12 to a PEM file wasn't at fault here, glad we sorted this out.

Sure. What I am saying is that kibana.crt is in PEM format already so you don't need to "convert" it. .crt is just a file suffix, it doesn't dictate the encoding of the file contents. If you want, you can just rename it to kibana.pem.

It looks like openssl's s_client connects to localhost:5601 (TCP) and then attempts a TLS client hello but the server or something in between shuts the TCP connection before the server can reply. It is also strange that Kibana doesnt print anything in its logs. Are you sure that Kibana container is accessible at localhost:5601 and not i.e. on `192.168.70.196:5601?

system · November 28, 2018, 12:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.