SSL using X-pack : Invalid security certificate

Hi,
I successfully configured ssl on my cluster. However when I open the url in firefox I get a big warning.

Is there any way I can change the certificate generation to make this warning go away?

PS: I did not provide the DNS name when generating certificates.

Hey @pk.241011 how did you go about generating the certificate? You'll want the domain name of the certificate to match the domain name of the URL that you're using to access Kibana.

If you purchased a SSL certificate for a public domain name, you'll want to access Kibana using the public domain-name as opposed to the hostname of the server.

I just followed the steps outlined in the help page on Elastic website.
I did not buy any SSL certificate.

Here is a sample of the ipconfig from my windows machine.

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : corp.StarkIndustries.org
   Link-local IPv6 Address . . . . . : G::G:G:G:GGG
   IPv4 Address. . . . . . . . . . . : XXX.XXX.XXX.XXX
   Subnet Mask . . . . . . . . . . . : YYY.YYY.YYY.YYY
   Default Gateway . . . . . . . . . : ZZZ.ZZZ.ZZZ.ZZZ

Ethernet adapter VirtualBox Host-Only Network:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : F::F:F:F:FFF
   Autoconfiguration IPv4 Address. . : MMM.MMM.MMM.MMM
   Subnet Mask . . . . . . . . . . . : TTT.TTT.TTT.TTT
   Default Gateway . . . . . . . . . :

Tunnel adapter isatap.corp.StarkIndustries.org:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : corp.StarkIndustries.org

Tunnel adapter isatap.{...blah...}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Lest us assume that my computer name is "Alpha" and the Full computer name is "Alpha.corp.StarkIndustries.org"

Can someone point out given this what should I be putting in :

Enter instance name:
Enter IP Addresses for instance (comma-separated if more than one) []:
Enter DNS names for instance (comma-separated if more than one) []:

@pk.241011 it all depends on the domain-name, or ip address that you're using to access Kibana.

If you're accessing Kibana on the following url https://localhost you'll want to use localhost for the Enter DNS names for instance. Or if you're using https:/Alpha.corp.StarkIndustries.org, you'll want to use Alpha.copr.StarkIndustries.org

I tried by giving just the alpha to the DNS field. I guess port number is not needed. Still getting same error.

Is Elastic Certificate Tool Autogenerated CA trusted by default by the browsers or do I have to add exceptions (since it is self signed) to browsers to make warning go away?

No, that would be a major security problem - the tool allows you to generate certificates for all sorts of hostnames. If the browsers trusted them by default, that would break the whole certificate trust model that is used on the internet.

If you use the certgen tool in its default mode (i.e. If you don't use the -csr option) then the certificates that you get will not be automatically trusted by the browser.

You have three broad options:

  1. Accept that it's a self-signed certificate and add an exception in your browser. Note You need to decide for yourself whether this is a good idea or not. If you are the only one using the site, then this might be a good option, but if you are asking other people to login to Kibana, then training them to "just add an exception" might not be a good idea. This decision is one that depends on context, and we aren't able to advise you as to whether it is suitable in your situation.

  2. Add the auto-generated CA as a trusted issuer in your browser. Note There are security implications if you do this, and as with the previous option, we can't tell you whether it's a good idea or not. You should make sure you understand the implications of this before you go down that path.

  3. Use a trusted CA (commercial or organisational to sign your certificate. The certgen documentation has instructions for that. Depending on your circumstances there may be a financial cost, and it may require that you are the owner/admin of your domain.
    We have an article on our blog about how to use Let's Encrypt certificates in Elasticsearch and Kibana. That may be helpful to you.

Thanks for clarification Tim. Maybe this elaboration is something which can be added as a side note to the documentation. Will help newbies like me.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.