I've been struggling to get encryption between Kibana and my Elasticsearch cluster working for past two days. My platform is CentOS 7 and I'm using ES version 6.4.0. Here's where I am:
Encryption between ES nodes is working . I used the "elasticsearch-certutil" to create a CA and to create certs for each node per the instructions:
elasticsearch-certutil ca
mv elastic-stack-ca.p12 ES-ca.p12
elasticsearch-certutil cert --ca ES-ca.p12 --name node1 --dns node1.example.com --ip 192.168.10.1
elasticsearch-certutil cert --ca ES-ca.p12 --name node2 --dns node2.example.com --ip 192.168.10.2
elasticsearch-certutil cert --ca ES-ca.p12 --name node3 --dns node3.example.com --ip 192.168.10.3
elasticsearch-certutil cert --ca ES-ca.p12 --name kibana1 --dns kibana1.example.com --ip 192.168.10.4
The "elasticsearch-certutil" produced PKCS12 formatted certificate bundles, which were copied to all the nodes along with the CA cert. Passwords are entered into the elasticsearch keystore. The ES cluster nodes encryption now works fine.
Kibana client communications are successfully SSL/TLS encrypted. I generated the key and csr with openssl and obtained a signed cert from LetsEncrypt. The following configuration is in place:
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/kibana1_ssl.crt.pem
server.ssl.key: /etc/kibana/private/kibana_ssl.key.pem
The private key password is entered into the Kibana keystore. This all works fine. Note that this private/public key pair were generated by openssl and signed by an external CA, not my elasticsearch CA generated above.
Next I try to secure the communications between kibana1 and the backend ES node1. Communications between node1, node2 and node3 are already successfully encrypted. I just want to add kibana1. Kibana uses pem certs, not PKCS12. The CA and all the ES nodes use PKCS12 bundles, so I extract the pem files from kibana1.p12 using openssl and place them in /etc/kibana/private and /etc/kibana/certs.
openssl pkcs12 -in kibana1.p12 -nocerts -out ./private/kibana1.es_CA.key.pem
openssl pkcs12 -in kibana1.p12 -clcerts -nokeys -out ./certs/kibana1.es_CA.crt.pem
The kibana1.es_CA.key.pem password is entered into the Kibana keystore. My configuration file is modified to include:
elasticsearch.url: "https://node1.example.com:9200"
elasticsearch.ssl.certificate: /etc/kibana/certs/kibana1.es_CA.crt.pem
elasticsearch.ssl.key: /etc/kibana/private/kibana1.es_CA.key.pem
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/certs/ES-ca.p12" ]
elasticsearch.ssl.verificationMode: full
With this configuration, kibana1 can no longer communicate with node1. The error in the kibana.log appears as:
{"type":"log","@timestamp":"2018-11-16T19:37:45Z","tags":["warning","elasticsearch","admin"],"pid":34625,"message":"Unable to revive connection: https://node1.example.com:9200/"}
{"type":"log","@timestamp":"2018-11-16T19:37:45Z","tags":["warning","elasticsearch","admin"],"pid":34625,"message":"No living connections"}
There are many messages like this. I'm not sure how to proceed. Maybe I should ditch the "elasticsearch-certutil" tool and regenerate my certs using openssl from the start. Has anyone done this successfully using a different procedure?