Hello, would like to ask for help in configuring SSL connection.
When using https: i get this error: Error code: SSL_ERROR_RX_RECORD_TOO_LONG.
If I try
curl --cacert /etc/kibana/elasticsearch-ca.pem https://localhost:9200/ -u elastic:pword -v
I receive output of :
SSL: certificate subject name 'elasticsearch' does not match target host name
Where or how I can change target host name or certificate subject name?
After creating new certificate I receive output :
matched cert's IP address!
SSL certificate verify ok.
However, same error from the browser:
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
Is that means that I have to configure browser as well or I am trying to use https on http?
( sorry in advance - im new here, so there will be many silly questions 
When I do
curl --insecure -X GET "https://0.0.0.0:9200/?pretty" -u elastic:pword
I get that "you know, you search" message.
If i use Mozilla browser - i cant access.
And my cluster is all gone - by that I mean I do not see filebeat, auditbeat, packetbeat - through metricbeat.
But now I am able to see Detections tab - its empty but without that "setting up" warning message.
So this means that TLS connection established between elasticsearch and kibana?
If so, how do I get all beats back to live? Sorry to say but it is very unclear in the guides.
For example.
setup.kibana.host: "https://192.0.2.255:5601"
setup.kibana.ssl.enabled: true
setup.kibana.ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
setup.kibana.ssl.certificate: "/etc/pki/client/cert.pem"
setup.kibana.ssl.key: "/etc/pki/client/cert.key"
I do not have ca.pem in kpi folder, kpi folder is empty. I dont see any .key files.
When I was doing certificate I received elasticsearch-ssl-http.zip file, so I have unzipped it and done like so:
cp /usr/share/elasticsearch/elasticsearch/http.p12 /etc/elasticsearch/ #
chown root.elasticsearch /etc/elasticsearch/http.p12
chmod 660 /etc/elasticsearch/http.p12
In elastisearch.yml :
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "http.p12"
Afterwards,
cp /usr/share/elasticsearch/kibana/elasticsearch-ca.pem /etc/kibana/
into kibana config:
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/elasticsearch-ca.pem" ]
elasticsearch.ssl.verificationMode: none
Please correct me if I am doing something wrong and would like to ask for advice on next steps.
Can anyone help with the issue?
Main question is how do I properly secure Kibana and Elasticsearch + all beats that I am using (metricbeat, auditbeat, packetbeat, filebeat). Possibly any links that can be useful in doing this?
If this type of topic should not be discussed on the forum - possibly I can contact any moderator privately? So I can discuss and describe the steps I have done?
created directory : /home/es/config/certs
copied certificates.p12 : cp /etc/elasticsearch/elastic-certificates.p12 /home/es/config/certs
copied HTTP certs to the same directory : cp /etc/elasticsearch/http.p12 /home/es/config/certs
And to http
For each additional Elastic product that you want to configure, copy the certificates to the relevant configuration directory. - ???
Does it include beats products? If it does where are "relevant" configuration directories? under /etc/..?
cp elasticsearch-ssl-http.zip /home/es/config/certs
unzip elasticsearch-ssl-http.zip
copy http.p12 to /etc/elasticsearch/
elasticsearch.yml :
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.keystore.path: http.p12
xpack.security.http.ssl.truststore.path: http.p12
Update all clients, tools, and applications that connect to Elasticsearch
to use the https protocol in their configuration URL.
For example, Kibana, Beats, Logstash, language clients, and custom applications.
bin/elasticsearch-certutil cert -name sk1f_kibana -dns localhost, 0.0.0.0
Certificates written to /usr/share/elasticsearch/sk1f_kibana.p12
Certificates written to /usr/share/elasticsearch/certificate-bundle.zip
/usr/share/elasticsearch/bin/elasticsearch-certutil cert -name sk1f_kibana -dns localhost,0.0.0.0 -pem #here tried to use pem to see if there will be .key output.
cp /usr/share/elasticsearch/certificate-bundle.zip /home/es/config/certs/
in kibana.yml : server.ssl.keystore.path: "/path/to/kibana-server.p12"
server.ssl.keystore.path: /etc/kibana/sk1f_kibana.p12
server.ssl.keystore.password: ""
server.ssl.enabled: true
elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/elasticsearch-ca.pem"]
when try to launch kibana :
["error","plugins","securitySolution"],"pid":13097,"message":"The following index patterns did not match any indices: [\"logs-endpoint.alerts-*\"] name: \"Endpoint Security\" id: \"f98df1a8-82db-11eb-906e-3fd6825689af\" rule id: \"9a1a2dae-0b5f-4c3d-8305-a268d404c306\" signals index: \".siem-signals-default\""}
["error","elasticsearch","data"],"pid":13097,"message":"Request error, retrying\nPOST https://localhost:9200/_bulk => socket hang up"}
Any advice on where is the error/how to fix it/ any help/ any reply?
All im trying to achieve is to get automatic alarm notifications from auditbeat rules. From what I can see I can do that only from activating trial licence and making tls connection. Other thing is - I have tried to use your guides - doesn't work.
You asked a rapid series of not-completely-related questions over a weekend. Please be patient, and please take the time to ask clear questions with all necessary details.
Comments like "I have tried to use your guides - doesn't work" provide no useful information. What didn't work? Where did you get stuck?
I'm having a lot of trouble working out which of your issues still exist, and which issues you have resolved.
Yes, if you enable SSL for Elasticsearch's HTTP server, then you need to configure that within beats.
Here is the relevant documentation for filebeat: Secure communication with Elasticsearch | Filebeat Reference [7.11] | Elastic
Thank you for your reply. Sorry, did overreacted a bit - because previous to the stage of "securing" stack, guides are clear and understandable.
Before moving to configuring beats I cannot launch kibana - explained my steps in the last post written above. Possibly you will be able to see where is the mistake.
-looks like I have found error why Kibana was not able to start :
I had to chmod 660 /etc/kibana/kibana_server.p12
For next steps I will try to follow your guide and configure beats.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.