We have established TLS on our cluster (v7.7.1) by generating self-signed certificates as described in this document. Entire cluster seems to be working fine.
However, to establish TLS between Kibana (residing on a separate server not a part of the cluster) we have made multiple efforts without any success.
and tried both the public certificate and node certificate in PKCS format. The cert does not have any encryption password so we have not defined elasticsearch.ssl.truststore.password. When we run kibana, we get following error
PKCS#12 MAC could not be verified. Invalid password?
Either re-issue your certificate so that it contains its hostname in the list of the SANs, so that anything( Kibana in this case) can perform hostname validation as it should as part of the TLS handshake
or ( and I certainly discourage you to do so) set elasticsearch.ssl.verificationMode: certificate in your kibana settings so that it won't try to perform hostname validation and you have a working ( but less secure setup )
GET https://10.0.xx.xx:9200/_xpack => write EPROTO 140246428264256:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:
Yes, you are correct. I had commented out http TLS configuration on my client node. After enabling, Kibana starts without any error but still no joy
The alerting section in kibana still says "You must enable Transport Layer Security Alerting relies on API keys, which require TLS between Elasticsearch and Kibana. Learn how to enable TLS."
I believe I took all the relevant steps to secure the connection between Kibana and Elasticsearch. Here are the config parameters currently set on my yml file
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.