SSL connection between Kibana and Elasticsearch

Hello, would like to ask for help in configuring SSL connection.
When using https: i get this error: Error code: SSL_ERROR_RX_RECORD_TOO_LONG.

If I try

curl --cacert /etc/kibana/elasticsearch-ca.pem https://localhost:9200/ -u elastic:pword -v

I receive output of :

SSL: certificate subject name 'elasticsearch' does not match target host name

Where or how I can change target host name or certificate subject name?

After creating new certificate I receive output :

matched cert's IP address!
SSL certificate verify ok.

  • Connection #0 to host 0.0.0.0 left intact

However, same error from the browser:

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

Is that means that I have to configure browser as well or I am trying to use https on http?

( sorry in advance - im new here, so there will be many silly questions :slight_smile:

When I do

curl --insecure -X GET "https://0.0.0.0:9200/?pretty" -u elastic:pword

I get that "you know, you search" message.
If i use Mozilla browser - i cant access.
And my cluster is all gone - by that I mean I do not see filebeat, auditbeat, packetbeat - through metricbeat.

But now I am able to see Detections tab - its empty but without that "setting up" warning message.
So this means that TLS connection established between elasticsearch and kibana?
If so, how do I get all beats back to live? Sorry to say but it is very unclear in the guides.

For example.

setup.kibana.host: "https://192.0.2.255:5601"
setup.kibana.ssl.enabled: true
setup.kibana.ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
setup.kibana.ssl.certificate: "/etc/pki/client/cert.pem"
setup.kibana.ssl.key: "/etc/pki/client/cert.key"
  • I do not have ca.pem in kpi folder, kpi folder is empty. I dont see any .key files.
    When I was doing certificate I received elasticsearch-ssl-http.zip file, so I have unzipped it and done like so:

      cp /usr/share/elasticsearch/elasticsearch/http.p12 /etc/elasticsearch/ #
      chown root.elasticsearch /etc/elasticsearch/http.p12
      chmod 660 /etc/elasticsearch/http.p12
    

In elastisearch.yml :

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "http.p12"

Afterwards,

cp /usr/share/elasticsearch/kibana/elasticsearch-ca.pem /etc/kibana/

into kibana config:

elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/elasticsearch-ca.pem" ]
elasticsearch.ssl.verificationMode: none

Please correct me if I am doing something wrong and would like to ask for advice on next steps.

Can anyone help with the issue?
Main question is how do I properly secure Kibana and Elasticsearch + all beats that I am using (metricbeat, auditbeat, packetbeat, filebeat). Possibly any links that can be useful in doing this?

If this type of topic should not be discussed on the forum - possibly I can contact any moderator privately? So I can discuss and describe the steps I have done?

  1. created directory : /home/es/config/certs

  2. copied certificates.p12 : cp /etc/elasticsearch/elastic-certificates.p12 /home/es/config/certs

  3. copied HTTP certs to the same directory : cp /etc/elasticsearch/http.p12 /home/es/config/certs
    And to http

  4. For each additional Elastic product that you want to configure, copy the certificates to the relevant configuration directory. - ???
    Does it include beats products? If it does where are "relevant" configuration directories? under /etc/..?

  5. cp elasticsearch-ssl-http.zip /home/es/config/certs

  6. unzip elasticsearch-ssl-http.zip

  7. copy http.p12 to /etc/elasticsearch/

  8. elasticsearch.yml :

     xpack.security.transport.ssl.enabled: true
     xpack.security.transport.ssl.verification_mode: certificate 
     xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 
     xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 
     xpack.security.http.ssl.enabled: true
     xpack.security.http.ssl.verification_mode: certificate
     xpack.security.http.ssl.keystore.path: http.p12
     xpack.security.http.ssl.truststore.path: http.p12
    
  9. Update all clients, tools, and applications that connect to Elasticsearch
    to use the https protocol in their configuration URL.
    For example, Kibana, Beats, Logstash, language clients, and custom applications.

  • for me that is:
    /etc/kibana/kibana.yml
    /etc/filebeat/filebeat.yml #protocol: "https" - for elasticsearch output
    /etc/auditbeat/auditbeat.yml #protocol: "https"
    /etc/metricbeat/metricbeat.yml #protocol: "https"
    /etc/metricbeat/modules.d/lasticsearch-xpack.yml #https
    /etc/packetbeat/packetbeat.yml #protocol: "https"
  1. Encrypting traffic between the browser and Kibana.
    Encrypt communications in Kibana | Kibana Guide [7.11] | Elastic

bin/elasticsearch-certutil cert -name sk1f_kibana -dns localhost, 0.0.0.0
Certificates written to /usr/share/elasticsearch/sk1f_kibana.p12

Certificates written to /usr/share/elasticsearch/certificate-bundle.zip

/usr/share/elasticsearch/bin/elasticsearch-certutil cert -name sk1f_kibana -dns localhost,0.0.0.0 -pem #here tried to use pem to see if there will be .key output.
cp /usr/share/elasticsearch/certificate-bundle.zip /home/es/config/certs/

  1. cp /usr/share/elasticsearch/sk1f_kibana.p12 /home/es/config/certs/
    sudo cp certificate-bundle.zip /home/es/config/certs/kibana-server/ # -tried to use pem format in case if p12 not going to work

in kibana.yml : server.ssl.keystore.path: "/path/to/kibana-server.p12"

server.ssl.keystore.path: /etc/kibana/sk1f_kibana.p12
server.ssl.keystore.password: ""
server.ssl.enabled: true

elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/elasticsearch-ca.pem"]

when try to launch kibana :

["error","plugins","securitySolution"],"pid":13097,"message":"The following index patterns did not match any indices: [\"logs-endpoint.alerts-*\"] name: \"Endpoint Security\" id: \"f98df1a8-82db-11eb-906e-3fd6825689af\" rule id: \"9a1a2dae-0b5f-4c3d-8305-a268d404c306\" signals index: \".siem-signals-default\""}

["error","elasticsearch","data"],"pid":13097,"message":"Request error, retrying\nPOST https://localhost:9200/_bulk => socket hang up"}

Any advice on where is the error/how to fix it/ any help/ any reply?

All im trying to achieve is to get automatic alarm notifications from auditbeat rules. From what I can see I can do that only from activating trial licence and making tls connection. Other thing is - I have tried to use your guides - doesn't work.

You asked a rapid series of not-completely-related questions over a weekend. Please be patient, and please take the time to ask clear questions with all necessary details.
Comments like "I have tried to use your guides - doesn't work" provide no useful information. What didn't work? Where did you get stuck?

I'm having a lot of trouble working out which of your issues still exist, and which issues you have resolved.

Yes, if you enable SSL for Elasticsearch's HTTP server, then you need to configure that within beats.
Here is the relevant documentation for filebeat: Secure communication with Elasticsearch | Filebeat Reference [7.11] | Elastic

Thank you for your reply. Sorry, did overreacted a bit - because previous to the stage of "securing" stack, guides are clear and understandable.
Before moving to configuring beats I cannot launch kibana - explained my steps in the last post written above. Possibly you will be able to see where is the mistake.

-looks like I have found error why Kibana was not able to start :
I had to chmod 660 /etc/kibana/kibana_server.p12
For next steps I will try to follow your guide and configure beats.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.