Hi guys,
I'm using elasticsearch and kibana 7.17.6 and currently I'm facing some problems with the security settings.
I'm trying to setup basic security for a 3 nodes elasticsearch cluster and 1 node kibana using certificates signed by an external CA. Everything works just fine with the elasticsearch cluster when I test it using curl command, but when I start Kibana it seems Kibana cannot verify the cluster certificates and I got the next error message in Kibana Log.
{"type":"log","@timestamp":"2022-12-12T15:18:29-05:00","tags":["error","elasticsearch-service"],"pid":1125039,"message":"Unable to retrieve version information from Elasticsearch nodes. unable to verify the first certificate"}
I would appreciate any suggestions you could give to solve this.
These are the config files for kibana and ES nodes.
elasticsearch.yml - Node 1
# ---------------------------------- Security ----------------------------------
#
# *** WARNING ***
#
# Elasticsearch security features are not enabled by default.
# These features are free, but require configuration changes to enable them.
# This means that users don’t have to provide credentials and can get full access
# to the cluster. Network connections are also not encrypted.
#
# To protect your data, we strongly encourage you to enable the Elasticsearch security features.
# Refer to the following documentation for instructions.
#
# https://www.elastic.co/guide/en/elasticsearch/reference/7.16/configuring-stack-security.html
#
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/SV934Dashmoni3.cer
xpack.security.http.ssl.key: /etc/elasticsearch/certs/http-SV934Dashmoni3.key
xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/certs/ca.cer
elasticsearch.yml - Node 2
# ---------------------------------- Security ----------------------------------
#
# *** WARNING ***
#
# Elasticsearch security features are not enabled by default.
# These features are free, but require configuration changes to enable them.
# This means that users don’t have to provide credentials and can get full access
# to the cluster. Network connections are also not encrypted.
#
# To protect your data, we strongly encourage you to enable the Elasticsearch security features.
# Refer to the following documentation for instructions.
#
# https://www.elastic.co/guide/en/elasticsearch/reference/7.16/configuring-stack-security.html
#
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/SV934Dashmoni4.cer
xpack.security.http.ssl.key: /etc/elasticsearch/certs/http-SV934Dashmoni4.key
xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/certs/ca.cer
elasticsearch.yml - Node 3
# ---------------------------------- Security ----------------------------------
#
# *** WARNING ***
#
# Elasticsearch security features are not enabled by default.
# These features are free, but require configuration changes to enable them.
# This means that users don’t have to provide credentials and can get full access
# to the cluster. Network connections are also not encrypted.
#
# To protect your data, we strongly encourage you to enable the Elasticsearch security features.
# Refer to the following documentation for instructions.
#
# https://www.elastic.co/guide/en/elasticsearch/reference/7.16/configuring-stack-security.html
#
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/SV934Dashmoni5.cer
xpack.security.http.ssl.key: /etc/elasticsearch/certs/http-SV934Dashmoni5.key
xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/certs/ca.cer
kibana.yml
To clarify: The elasticsearch-ca.pem certificate shown in this file is the exactly the same /etc/elasticsearch/certs/ca.cer used in the ES cluster but converted from .cer to .pem format.
# The URLs of the Elasticsearch instances to use for all your queries.
elasticsearch.hosts: ["https://SV934Dashmoni3:9210", "https://SV934Dashmoni4:9210", "https://SV934Dashmoni5:9210"]
# Kibana uses an index in Elasticsearch to store saved searches, visualizations and
# dashboards. Kibana creates a new index if the index doesn't already exist.
#kibana.index: ".kibana"
# The default application to load.
#kibana.defaultAppId: "home"
# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
elasticsearch.username: "kibana_system"
elasticsearch.password: "*****"
# Kibana can also authenticate to Elasticsearch via "service account tokens".
# If may use this token instead of a username/password.
# elasticsearch.serviceAccountToken: "my_token"
# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
#server.ssl.enabled: true
#server.ssl.certificate: /etc/kibana/certs/SV934Dashmoni2.cer
#server.ssl.key: /etc/kibana/certs/SV934Dashmoni2.key
# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files are used to verify the identity of Kibana to Elasticsearch and are required when
# xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key
# Optional setting that enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
elasticsearch.ssl.certificateAuthorities: /etc/kibana/certs/selfsigned/elasticsearch-ca.pem
# To disregard the validity of SSL certificates, change this setting's value to 'none'.
#elasticsearch.ssl.verificationMode: full
Thanks in advance.