Hey there,
i try to use ssl for kibana to request it over https via webbrowser. My company wants to use a selfsigned certificate for this and wants also to use its own Certification Authority (CA).
I did the following for this to get it running.
I created a docker-compose.yml file to get the kibana container running:
version: '3.6'
services:
kibana:
image: docker.elastic.co/kibana/kibana:6.4.2
container_name: kibana
volumes:
- ${PWD}/kibana/config/certs/kibana.crt:/usr/share/kibana/config/kibana.crt
- ${PWD}/kibana/config/certs/kibana.key:/usr/share/kibana/config/kibana.key
- ${PWD}/kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml
environment:
ELASTICSEARCH_URL: "http://192.168.70.196:9200"
ports: ["5601:5601"]
My kibana.yml has the entries to enable ssl:
server.ssl.enabled: true
server.ssl.certificate: "/usr/share/kibana/config/kibana.crt"
server.ssl.key: "/usr/share/kibana/config/kibana.key"
The elasticsearch-service is also running via docker (but not allready in the compose file).
I created the ca and certs with the elasticsearch-certutil by the following commands on my local machine after downloading and unpacking the elasticsearch-6.4.3.tar.gz:
mkdir elkstack_certs
cd elkstack_certs
elasticsearch-6.4.2/bin/elasticsearch-certutil ca --pem
touch kibana.yml
Inserted the following into my kibana.yml for the creation of my signed cert and private key:
instances:
- name: "kibana"
ip:
- "192.168.70.196"
dns:
- "xxx.xxx.xxx"
then:
elasticsearch-6.4.2/bin/elasticsearch-certutil cert -ca-cert ca/ca.crt --ca-key ca/ca.key --in kibana.yml --out kibana_test.zip
unzip kibana_test.zip
Then i converteted the kibana.crt to kibana.pem via openssl and copied the kibana.pem and kibana.key to the server where the kibana-service should be running under the path where it should be placed to be copied into the kibana-container on start
When i now start the kibana-container
docker-compose up kibana
i get the following logs shown:
for Elasticsearch"}
kibana | {"type":"log","@timestamp":"2018-10-31T08:56:23Z","tags":["status","plugin:graph@6.4.2","info"],"pid":1,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
kibana | {"type":"log","@timestamp":"2018-10-31T08:56:23Z","tags":["status","plugin:grokdebugger@6.4.2","info"],"pid":1,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
kibana | {"type":"log","@timestamp":"2018-10-31T08:56:23Z","tags":["status","plugin:logstash@6.4.2","info"],"pid":1,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
kibana | {"type":"log","@timestamp":"2018-10-31T08:56:23Z","tags":["status","plugin:reporting@6.4.2","info"],"pid":1,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
kibana | {"type":"log","@timestamp":"2018-10-31T08:56:23Z","tags":["info","monitoring-ui","kibana-monitoring"],"pid":1,"message":"Starting monitoring stats collection"}
kibana | {"type":"log","@timestamp":"2018-10-31T08:56:23Z","tags":["status","plugin:security@6.4.2","info"],"pid":1,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
kibana | {"type":"log","@timestamp":"2018-10-31T08:56:23Z","tags":["license","info","xpack"],"pid":1,"message":"Imported license information from Elasticsearch for the [monitoring] cluster: mode: basic | status: active"}
kibana | {"type":"log","@timestamp":"2018-10-31T08:56:42Z","tags":["info","http","server","listening"],"pid":1,"message":"Server running at https://localhost:5601"}
To test the connection to kibana i copied the ca.cert to the server and converted it to pem-format as curl tells with:
openssl x509 -in ca.crt -out ca.pem -outform PEM
When i now try to connect to kibana with curl:
curl --cacert ca.pem https://localhost:5601
i get the following message:
curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.
In the kibana logs, no entry gets created at that time.
I also added the ca to my browser and try to connect kibana via browser. I get the following response:
ERR_CONNECTION_REFUSED
Any suggestion or help to get this solved would be appriciated.
Thanks in advance