SSL connection between Kibana and Elasticsearch

Hello, would like to ask for help in configuring SSL connection.
When using https: i get this error: Error code: SSL_ERROR_RX_RECORD_TOO_LONG.

If I try

curl --cacert /etc/kibana/elasticsearch-ca.pem https://localhost:9200/ -u elastic:pword -v

I receive output of :

SSL: certificate subject name 'elasticsearch' does not match target host name

Where or how I can change target host name or certificate subject name?

After creating new certificate I receive output :

matched cert's IP address!
SSL certificate verify ok.

  • Connection #0 to host left intact

However, same error from the browser:


Is that means that I have to configure browser as well or I am trying to use https on http?

( sorry in advance - im new here, so there will be many silly questions :slight_smile:

When I do

curl --insecure -X GET "" -u elastic:pword

I get that "you know, you search" message.
If i use Mozilla browser - i cant access.
And my cluster is all gone - by that I mean I do not see filebeat, auditbeat, packetbeat - through metricbeat.

But now I am able to see Detections tab - its empty but without that "setting up" warning message.
So this means that TLS connection established between elasticsearch and kibana?
If so, how do I get all beats back to live? Sorry to say but it is very unclear in the guides.

For example. ""
setup.kibana.ssl.enabled: true
setup.kibana.ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
setup.kibana.ssl.certificate: "/etc/pki/client/cert.pem"
setup.kibana.ssl.key: "/etc/pki/client/cert.key"
  • I do not have ca.pem in kpi folder, kpi folder is empty. I dont see any .key files.
    When I was doing certificate I received file, so I have unzipped it and done like so:

      cp /usr/share/elasticsearch/elasticsearch/http.p12 /etc/elasticsearch/ #
      chown root.elasticsearch /etc/elasticsearch/http.p12
      chmod 660 /etc/elasticsearch/http.p12

In elastisearch.yml : true certificate elastic-certificates.p12 elastic-certificates.p12 true "http.p12"


cp /usr/share/elasticsearch/kibana/elasticsearch-ca.pem /etc/kibana/

into kibana config:

elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/elasticsearch-ca.pem" ]
elasticsearch.ssl.verificationMode: none

Please correct me if I am doing something wrong and would like to ask for advice on next steps.

Can anyone help with the issue?
Main question is how do I properly secure Kibana and Elasticsearch + all beats that I am using (metricbeat, auditbeat, packetbeat, filebeat). Possibly any links that can be useful in doing this?

If this type of topic should not be discussed on the forum - possibly I can contact any moderator privately? So I can discuss and describe the steps I have done?

  1. created directory : /home/es/config/certs

  2. copied certificates.p12 : cp /etc/elasticsearch/elastic-certificates.p12 /home/es/config/certs

  3. copied HTTP certs to the same directory : cp /etc/elasticsearch/http.p12 /home/es/config/certs
    And to http

  4. For each additional Elastic product that you want to configure, copy the certificates to the relevant configuration directory. - ???
    Does it include beats products? If it does where are "relevant" configuration directories? under /etc/..?

  5. cp /home/es/config/certs

  6. unzip

  7. copy http.p12 to /etc/elasticsearch/

  8. elasticsearch.yml : true certificate elastic-certificates.p12 elastic-certificates.p12 true certificate http.p12 http.p12
  9. Update all clients, tools, and applications that connect to Elasticsearch
    to use the https protocol in their configuration URL.
    For example, Kibana, Beats, Logstash, language clients, and custom applications.

  • for me that is:
    /etc/filebeat/filebeat.yml #protocol: "https" - for elasticsearch output
    /etc/auditbeat/auditbeat.yml #protocol: "https"
    /etc/metricbeat/metricbeat.yml #protocol: "https"
    /etc/metricbeat/modules.d/lasticsearch-xpack.yml #https
    /etc/packetbeat/packetbeat.yml #protocol: "https"
  1. Encrypting traffic between the browser and Kibana.
    Encrypt communications in Kibana | Kibana Guide [7.11] | Elastic

bin/elasticsearch-certutil cert -name sk1f_kibana -dns localhost,
Certificates written to /usr/share/elasticsearch/sk1f_kibana.p12

Certificates written to /usr/share/elasticsearch/

/usr/share/elasticsearch/bin/elasticsearch-certutil cert -name sk1f_kibana -dns localhost, -pem #here tried to use pem to see if there will be .key output.
cp /usr/share/elasticsearch/ /home/es/config/certs/

  1. cp /usr/share/elasticsearch/sk1f_kibana.p12 /home/es/config/certs/
    sudo cp /home/es/config/certs/kibana-server/ # -tried to use pem format in case if p12 not going to work

in kibana.yml : server.ssl.keystore.path: "/path/to/kibana-server.p12"

server.ssl.keystore.path: /etc/kibana/sk1f_kibana.p12
server.ssl.keystore.password: ""
server.ssl.enabled: true

elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/elasticsearch-ca.pem"]

when try to launch kibana :

["error","plugins","securitySolution"],"pid":13097,"message":"The following index patterns did not match any indices: [\"logs-endpoint.alerts-*\"] name: \"Endpoint Security\" id: \"f98df1a8-82db-11eb-906e-3fd6825689af\" rule id: \"9a1a2dae-0b5f-4c3d-8305-a268d404c306\" signals index: \".siem-signals-default\""}

["error","elasticsearch","data"],"pid":13097,"message":"Request error, retrying\nPOST https://localhost:9200/_bulk => socket hang up"}

Any advice on where is the error/how to fix it/ any help/ any reply?

All im trying to achieve is to get automatic alarm notifications from auditbeat rules. From what I can see I can do that only from activating trial licence and making tls connection. Other thing is - I have tried to use your guides - doesn't work.

You asked a rapid series of not-completely-related questions over a weekend. Please be patient, and please take the time to ask clear questions with all necessary details.
Comments like "I have tried to use your guides - doesn't work" provide no useful information. What didn't work? Where did you get stuck?

I'm having a lot of trouble working out which of your issues still exist, and which issues you have resolved.

Yes, if you enable SSL for Elasticsearch's HTTP server, then you need to configure that within beats.
Here is the relevant documentation for filebeat: Secure communication with Elasticsearch | Filebeat Reference [7.11] | Elastic

Thank you for your reply. Sorry, did overreacted a bit - because previous to the stage of "securing" stack, guides are clear and understandable.
Before moving to configuring beats I cannot launch kibana - explained my steps in the last post written above. Possibly you will be able to see where is the mistake.

-looks like I have found error why Kibana was not able to start :
I had to chmod 660 /etc/kibana/kibana_server.p12
For next steps I will try to follow your guide and configure beats.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.