TLS Between Elastic & Kibana…Alerts Not Working

Hi. I have established TLS on our cluster (v7.11.1). Entire cluster seems to be working fine except Alerts and Report section.

The alerting section in kibana still says " You must enable Transport Layer Security Alerting relies on API keys, which require TLS between Elasticsearch and Kibana. Learn how to enable TLS ."

I believe I took all the relevant steps to secure the connection between Kibana and Elasticsearch. Here are the config parameters currently set in my yml files.

kibana.yml:

server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/Elastic-Kibana-HTTP-1.cer
server.ssl.key: /etc/kibana/certs/Elastic-Kibana-HTTP-1.key
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/certs/INFRA-RCA_INFRA-SCA_chain.pem" ]
elasticsearch.ssl.verificationMode: full
xpack.security.encryptionKey: "fK9QUev3GdfVHc31GR1lcyWe7PKanj7o7hdTDZ7W"`
xpack.encryptedSavedObjects.encryptionKey: "8KacgxuuthHBvChtdFuElS5QxPdBUBiS9gSeDcyXj3mDwtUzWe"

elasticsearch.yml:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: full
xpack.security.transport.ssl.key: certs/Elastic-Kibana-1.key
xpack.security.transport.ssl.certificate: certs/Elastic-Kibana-1.cer
xpack.security.transport.ssl.certificate_authorities: certs/INFRA-RCA_INFRA-SCA_chain.pem
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: certs/Elastic-Kibana-1.key
xpack.security.http.ssl.certificate: certs/Elastic-Kibana-1.cer
xpack.security.http.ssl.certificate_authorities: [ "/etc/elasticsearch/certs/INFRA-RCA_INFRA-SCA_chain.pem" ]
xpack.security.http.ssl.client_authentication: optional

Any suggestions on what am I missing?

@Patrick_Mueller can we please get your eyes for a bit?

Thanks,
Bhavya

Here are the guides we point people to:

As far as I know these are complete, and if they aren't, we'll have to get someone in security involved, as I'm not sure exactly how all these work together. Most people hitting the TLS warning in Alerting, that are attempting to use TLS, usually end up having a TLS terminator in front of elasticsearch, which is not currently supported (there is an issue in elasticsearch to allow such configurations). That doesn't appear to be the case here, it looks like elasticsearch is being configured to run in TLS mode directly - but again, I'm not an expert here.

Some simple things to check:

  • have Kibana and elasticsearch been restarted?
  • anything security-related or alert-related in the elasticsearch or Kibana logs?

Thank you for your response.

I have rechecked the Kibana Guide you mentioned, also folowed the link on how to enable TLS and I didn't find any mistakes in my configuration.

Kibana and Elasticsearch have been restarted numerous times.

Didn't find any alerts in logs besides deprecation.

Do the xpack.security.http.ssl settings have to be configured on all elasticsearch nodes?
I have 8 nodes in my cluster, but kibana is only connecting to two, which do have the configuration above.

Good question, I don't know for sure, but seems like it could be confusing for you in the future to have different settings for different nodes.

Did you include the https protocol in your kibana.yml setting for elasticsearch.hosts? I didn't see one in your config above; example from the doc I referenced:

elasticsearch.hosts: ["https://<your_elasticsearch_host>.com:9200"]

There were some additional security related configs referenced in one of the docs I linked to before, that aren't listed in your config above - Configure security in Kibana | Kibana Guide [7.11] | Elastic - but I'm guessing you already had security configured, and are just looking at enabling TLS?

@Rok Any luck ? I am facing same issue

I have kibana installed on the same node where I have the elasticsearch installed with the configuration above. I have different configurations of elasticsearch depending on their roles.
3x master, 3x data and 2x coordinating nodes with kibana.

Yes, I have https in my configuration. It is pointing to itself.

elasticsearch.hosts: ["https://Elastic-Kibana-1:9200"]

As you have written I have security already configured and I only have problems with TLS section. From the manul page you mentioned I don't have xpack.security.session values set, but I'm guessing they are irrelevant to what I'm trying to achieve.

No, not yet. I'm stuck running in circles. Rechecking the configuration, going through the manual.
I even cleared everything starting from scratch. Same result. :frowning:

Do all those nodes have TLS enabled for HTTP?

I suspect the problem here is that your elected master node does not.

Can you check

GET /_xpack/usage

and look at the value for security.ssl.http.enabled ?

That did the trick. :slight_smile:

Thank you.

Rok,
Please make sure your matricbeat is configured properly at current master node.

Good afternoon. And can you send the settings of these 2 yml files (without keys, instead of keys put....)? how did you set up the certificates (I haven't been able to do it for 4 days) ? sergmartynenko1986@yandex.ru

YML files are at the beginning of the post. All elasticsearch nodes have to have TLS enabled for HTTP.