Unknown SSL protocol error after activating trial license

jg_opti · December 5, 2019, 1:52pm

Hi,

We encountered an issue after switch to the trial license from the basic license, the ssl connection of the http layer don't work anymore from remote Kibana and Logstash nodes.
I didn't see any problem for the transport layer, synchronization between elasticsearch nodes was OK.

## Request from one of the Elasticsearch node to one of the Elasticsearch node
No problem, 0 error log.

Trial license has been actived :

GET https://elastic-node1:9200/_xpack/license

{
  "license" : {
    "status" : "active",
    "uid" : "*********************",
    "type" : "trial",
    "issue_date" : "2019-12-04T09:43:49.280Z",
    "issue_date_in_millis" : 1575452629280,
    "expiry_date" : "2020-01-03T09:43:49.280Z",
    "expiry_date_in_millis" : 1578044629280,
    "max_nodes" : 1000,
    "issued_to" : "elastic-cluster",
    "issuer" : "elasticsearch",
    "start_date_in_millis" : -1
  }
}

GET https://elastic-node1:9200/_cluster/health?pretty -v

*   Trying 10.3.144.143...
* TCP_NODELAY set
* Connected to elastic-node1 (10.3.144.143) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=***; ST=***; L=***; O=***; OU=***; CN=elastic-node1
*  start date: Sep 25 05:46:03 2019 GMT
*  expire date: Sep 24 05:46:03 2021 GMT
*  subjectAltName: host "elastic-node1" matched cert's "elastic-node1"
*  issuer: C=***; ST=***; L=***; O=***; OU=***; CN=***; emailAddress=***
*  SSL certificate verify ok.
* Server auth using Basic with user 'kibana'

> GET /_cluster/health?pretty HTTP/1.1
Host: elastic-node1:9200
> Authorization: Basic a2liYWk12kQ0W1JmQ2N5QS1qNmVZUEctStpx
> User-Agent: curl/7.52.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 489
< 
{
  "cluster_name" : "elastic-cluster",
  "status" : "green",
  "timed_out" : false,
   ...
}
* Curl_http_done: called premature == 0
* Connection #0 to host elastic-node1 left intact

## Request from Kibana or Logstash node

GET https://elastic-node1:9200/_cluster/health?pretty -v

> *   Trying 10.3.144.145...
> * TCP_NODELAY set
> * Connected to elastic-node1 (10.3.144.145) port 9200 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> *   CAfile: /etc/ssl/certs/ca-certificates.crt
>   CApath: /etc/ssl/certs
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * Unknown SSL protocol error in connection to elastic-node1:9200 
> * Curl_http_done: called premature == 0
> * Closing connection 0
> curl: (35) Unknown SSL protocol error in connection to elastic-node1:9200

openssl s_client -connect elastic-node1:9200

> CONNECTED(00000003)
> write:errno=0
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 176 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : 0000
>     Session-ID: 
>     Session-ID-ctx: 
>     Master-Key: 
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1575537612
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
>     Extended master secret: no
> ---

Log kibana-node2 :

{"type":"log","@timestamp":"2019-12-04T09:52:00Z","tags":["warning","elasticsearch","security"],"pid":18465,"message":"Unable to revive connection: https://elastic-node1:9200/"}
{"type":"log","@timestamp":"2019-12-04T09:52:00Z","tags":["warning","elasticsearch","security"],"pid":18465,"message":"Unable to revive connection: https://elastic-node2:9200/"}
{"type":"log","@timestamp":"2019-12-04T09:52:00Z","tags":["warning","elasticsearch","security"],"pid":18465,"message":"Unable to revive connection: https://elastic-node3:9200/"}
{"type":"log","@timestamp":"2019-12-04T09:52:00Z","tags":["warning","elasticsearch","security"],"pid":18465,"message":"Unable to revive connection: https://elastic-node4:9200/"}
{"type":"log","@timestamp":"2019-12-04T09:52:00Z","tags":["warning","elasticsearch","security"],"pid":18465,"message":"No living connections"}
{"type":"log","@timestamp":"2019-12-04T09:52:03Z","tags":["error","elasticsearch","data"],"pid":18465,"message":"Request error, retrying\nGET https://elastic-node1:9200/_xpack => Client networ
k socket disconnected before secure TLS connection was established"}
{"type":"log","@timestamp":"2019-12-04T09:52:03Z","tags":["error","elasticsearch","data"],"pid":18465,"message":"Request error, retrying\nGET https://elastic-node1:9200/_xpack => Client networ
k socket disconnected before secure TLS connection was established"}
{"type":"log","@timestamp":"2019-12-04T09:52:03Z","tags":

Kibana Portal is not ready...

Logstash worked well until elastic-node1 reboot bc connection has been removed. Connection can't be restablished anymore with elastic-node1.

Log logstash-node1 :

{"level":"WARN","loggerName":"logstash.outputs.elasticsearch","timeMillis":1575471499421,"thread":"Ruby-0-Thread-56: :1","logEvent":{"message":"Attempted to resurrect connection to dead ES instance, but got an error.","url":"https://logstash_int:xxxxxx@elastic-node1:9200/","error_type":{"metaClass":{"metaClass":{"error_type":"LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError","error":"Elasticsearch Unreachable: [https://logstash_int:xxxxxx@elastic-node1:9200/][Manticore::ClientProtocolException] SSL peer shut down incorrectly"}}}}}

Log Kibana-node2 when I activated the trial license :

{"type":"response","@timestamp":"2019-12-04T09:43:31Z","tags":[],"pid":18465,"method":"get","statusCode":200,"req":{"url":"/api/license/start_trial?_=1575452598602","method":"get","headers":{"host":"kibana-node2:5601","connection":"keep-alive","accept":"*/*","kbn-version":"7.4.2","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36","content-type":"application/json","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","referer":"https://kibana-node2:5601/s/optilian/app/kibana","accept-encoding":"gzip, deflate, br","accept-language":"fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,pt;q=0.6"},"remoteAddress":"192.168.50.5","userAgent":"192.168.50.5","referer":"https://kibana-node2:5601/s/optilian/app/kibana"},"res":{"statusCode":200,"responseTime":87,"contentLength":9},"message":"GET /api/license/start_trial?_=1575452598602 200 87ms - 9.0B"}
{"type":"response","@timestamp":"2019-12-04T09:43:38Z","tags":[],"pid":18465,"method":"get","statusCode":200,"req":{"url":"/built_assets/dlls/icon.cross-js.bundle.dll.js","method":"get","headers":{"host":"kibana-node2:5601","connection":"keep-alive","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36","accept":"*/*","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","referer":"https://kibana-node2:5601/s/optilian/app/kibana","accept-encoding":"gzip, deflate, br","accept-language":"fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,pt;q=0.6"},"remoteAddress":"192.168.50.5","userAgent":"192.168.50.5","referer":"https://kibana-node2:5601/s/optilian/app/kibana"},"res":{"statusCode":200,"responseTime":4,"contentLength":9},"message":"GET /built_assets/dlls/icon.cross-js.bundle.dll.js 200 4ms - 9.0B"}
{"type":"log","@timestamp":"2019-12-04T09:43:49Z","tags":["error","elasticsearch","data"],"pid":18465,"message":"Request error, retrying\nGET https://elastic-node2:9200/_xpack => Client network socket disconnected before secure TLS connection was established"}
{"type":"log","@timestamp":"2019-12-04T09:43:49Z","tags":["error","elasticsearch","data"],"pid":18465,"message":"Request error, retrying\nGET https://elastic-node1:9200/_xpack => Client network socket disconnected before secure TLS connection was established"}
{"type":"log","@timestamp":"2019-12-04T09:43:49Z","tags":["license","info","xpack"],"pid":18465,"message":"Imported changed license information from Elasticsearch for the [data] cluster: mode: trial | status: active | expiry date: 2020-01-03T10:43:49+01:00"}
{"type":"log","@timestamp":"2019-12-04T09:43:49Z","tags":["info","monitoring","kibana-monitoring"],"pid":18465,"message":"Starting monitoring stats collection"}
{"type":"response","@timestamp":"2019-12-04T09:43:49Z","tags":[],"pid":18465,"method":"post","statusCode":200,"req":{"url":"/api/license/start_trial","method":"post","headers":{"host":"kibana-node2:5601","connection":"keep-alive","content-length":"0","accept":"*/*","origin":"https://kibana-node2:5601","kbn-version":"7.4.2","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36","content-type":"application/json","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","referer":"https://kibana-node2:5601/s/optilian/app/kibana","accept-encoding":"gzip, deflate, br","accept-language":"fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,pt;q=0.6"},"remoteAddress":"192.168.50.5","userAgent":"192.168.50.5","referer":"https://kibana-node2:5601/s/optilian/app/kibana"},"res":{"statusCode":200,"responseTime":484,"contentLength":9},"message":"POST /api/license/start_trial 200 484ms - 9.0B"}
{"type":"log","@timestamp":"2019-12-04T09:43:49Z","tags":["error","elasticsearch","security"],"pid":18465,"message":"Request error, retrying\nGET https://elastic-node2:9200/_security/privilege/kibana-.kibana => Client network socket disconnected before secure TLS connection was established"}
{"type":"log","@timestamp":"2019-12-04T09:43:49Z","tags":["error","elasticsearch","security"],"pid":18465,"message":"Request error, retrying\nGET https://elastic-node1:9200/_security/privilege/kibana-.kibana => Client network socket disconnected before secure TLS connection was established"}

## Rollback Basic license, SSL OK

After removing the trial license, kibana respond again but notify that elasticsearch dont have information license.

DELETE https://elastic-node1:9200/_license
GET https://elastic-node1:9200/_license
{}

Log Kibana :

{"type":"log","@timestamp":"2019-12-05T11:01:25Z","tags":["status","plugin:security@7.4.2","error"],"pid":23405,"state":"red","message":"Status changed from yellow to red - [data] Elasticsearch cluster did not respond with license information.","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}

Log Logstash
{level":"WARN","loggerName":"logstash.licensechecker.xpackinfo","timeMillis":1575543990130,"thread":"monitoring-license-manager","logEvent":{"message":"Nil response from License Server"}}
After generating new basic license, communications are working again.

POST https://elastic-node1:9200/_license/start_basic

{"acknowledged":true,"basic_was_started":true}

GET https://elastic-node1:9200/_xpack/license

{
  "license" : {
    "status" : "active",
    "uid" : "***************",
    "type" : "basic",
    "issue_date" : "2019-12-05T11:07:55.561Z",
    "issue_date_in_millis" : 1575544075561,
    "max_nodes" : 1000,
    "issued_to" : "elastic-cluster",
    "issuer" : "elasticsearch",
    "start_date_in_millis" : -1
  }
}

I tried to upgrade elasticsearch-node to 7.5 before removing the trial license, same result.

Jeremy.

jg_opti · December 5, 2019, 1:54pm

## Elasticsearch - X-Pack Configuration :

# --------------------------------- Security -----------------------------------
#
# Enable X-Pack
#
xpack.security.enabled: true
#
# Encrypting HTTP Client communications 
#
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: "${ES_PATH_CONF}/ssl/private/${node.name}.key"
xpack.security.http.ssl.certificate: "${ES_PATH_CONF}/ssl/certs/${node.name}.crt"
xpack.security.http.ssl.certificate_authorities: [ "/etc/elasticsearch/ssl/certs/ca.pem" ]
#
# Encrypting communications between nodes in a cluster
#
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: "${ES_PATH_CONF}/ssl/private/${node.name}.key"
xpack.security.transport.ssl.certificate: "${ES_PATH_CONF}/ssl/certs/${node.name}.crt"
xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/ssl/certs/ca.pem" ]
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.filter.allow: [ "10.3.144.143","10.3.144.144","10.3.144.145","10.3.144.146", ]
xpack.security.transport.filter.deny: _all
#
# Enable audit log
#
xpack.security.audit.enabled: true
#
# ----------------------------------- Realms ------------------------------------
#
# Native Authentification
#
xpack.security.authc.realms.native.native1.order: 0
xpack.security.authc.realms.native.native1.cache.hash_algo: bcrypt5
#
# LDAP Backend Authentification
#
# -
#
# ---------------------------------- Monitoring --------------------------------- 
#
xpack.monitoring.collection.enabled: true

ikakavas · December 6, 2019, 9:01am

Can't reproduce this, can you share more details like what version are you on, how did you install elasticsearch and your kibana.yml ?

jg_opti · December 10, 2019, 7:29am

Hi,

Here is the details :
Distrib : Debian 9.11
Kernel : 4.9.0-8-amd64 x86_64
ELK Version : 7.4.2
OpenSSL Version : 1.1.0l

ELK Installed from your official Debian repository. Elasticsearch use the bundled JVM. Certificates sign by our CA.

ELK certificate :
openssl x509 -text -noout -in /etc/elasticsearch/ssl/certs/elastic-node1.domain.com.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: ****
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = ****, ST = ****, L = ****, O = ****, OU = ****, CN = Customer CA, emailAddress = pki@domain.com
        Validity
            Not Before: Sep 25 05:46:03 2019 GMT
            Not After : Sep 24 05:46:03 2021 GMT
        Subject: C = ****, ST = ****, L = ****, O = ****, OU = ****, CN = elastic-node1.domain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
					***********************
                Exponent: ****
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto, TLS Web Client Authentication
            Netscape Comment:
                This certificate is used for SSL ServerCerts.
            Netscape Cert Type:
                SSL Client, SSL Server
            X509v3 Subject Alternative Name:
                DNS:elastic-node1.domain.com
    Signature Algorithm: sha256WithRSAEncryption
        ***********************

Elasticsearch configuration :

# ======================== Elasticsearch Configuration =========================
#
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: elastic-cluster
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: elastic-node1
#
# Roles of the node
#
node.master: true
node.data: true
node.ingest: true
#
# Add custom attributes to the node:
#
node.attr.location: rbx
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /data/elasticsearch
#
# Path to log files:
#
path.logs: /var/log/elasticsearch
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: 10.3.144.143
network.bind_host: elastic-node1.domain.com
#
# Set a custom port for HTTP:
#
http.port: 9200
#
# Set a custom port for TCP:
#
transport.port: 9300
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
discovery.seed_hosts:
  - elastic-node1.domain.com
  - elastic-node2.domain.com
  - elastic-node3.domain.com
  - elastic-node4.domain.com
#
#  Number of minimum master eligible to start the election process
#
discovery.zen.minimum_master_nodes: 2
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
cluster.initial_master_nodes:
  - elastic-node1
  - elastic-node2
  - elastic-node3
  - elastic-node4
#
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
#
# --------------------------------- Security -----------------------------------
#
# Enable X-Pack
#
xpack.security.enabled: true
#
# Encrypting HTTP Client communications
#
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: "${ES_PATH_CONF}/ssl/private/${node.name}.domain.com.key"
xpack.security.http.ssl.certificate: "${ES_PATH_CONF}/ssl/certs/${node.name}.domain.com.crt"
xpack.security.http.ssl.certificate_authorities: [ "/etc/elasticsearch/ssl/certs/CA.pem" ]
#
#Test bug SSL
#xpack.security.http.ssl.supported_protocols: [ "TLSv1.2" ]
#
## Encrypting communications between nodes in a cluster
#
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: "${ES_PATH_CONF}/ssl/private/${node.name}.domain.com.key"
xpack.security.transport.ssl.certificate: "${ES_PATH_CONF}/ssl/certs/${node.name}.domain.com.crt"
xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/ssl/certs/CA.pem" ]
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.filter.allow: [ "10.3.144.143","10.3.144.144","10.3.144.145","10.3.144.146", ]
xpack.security.transport.filter.deny: _all
#
# Enable audit log
#
xpack.security.audit.enabled: true
#
# ----------------------------------- Logging ------------------------------------
#
logger.level: INFO
#
# ----------------------------------- Realms ------------------------------------
#
# Native Authentification
#
xpack.security.authc.realms.native.native1.order: 0
xpack.security.authc.realms.native.native1.cache.hash_algo: bcrypt5
#
# LDAP Backend Authentification
#
# -
#
# ---------------------------------- Monitoring ---------------------------------
#
xpack.monitoring.collection.enabled: true

xpack.security.transport.ssl.verification_mode is setup with "certificate" bc we are waiting for new elasticsearch certificates including the ip address of the node.

jg_opti · December 10, 2019, 7:31am

Kibana configuration :

# Kibana is served by a back end server. This setting specifies the port to use.
#server.port: 5601

# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: "kibana-rbx.domain.com"

# Enables you to specify a path to mount Kibana at if you are running behind a proxy.
# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
#server.basePath: ""

# Specifies whether Kibana should rewrite requests that are prefixed with
# `server.basePath` or require that they are rewritten by your reverse proxy.
# This setting was effectively always `false` before Kibana 6.3 and will
# default to `true` starting in Kibana 7.0.
#server.rewriteBasePath: false

# The maximum payload size in bytes for incoming server requests.
#server.maxPayloadBytes: 1048576

# The Kibana server's name.  This is used for display purposes.
server.name: "kibana-rbx"

# The URLs of the Elasticsearch instances to use for all your queries.
elasticsearch.hosts:
  - "https://elastic-node1.domain.com:9200"
  - "https://elastic-node2.domain.com:9200"
  - "https://elastic-node3.domain.com:9200"
  - "https://elastic-node4.domain.com:9200"

# When this setting's value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host
# that connects to this Kibana instance.
elasticsearch.preserveHost: true

# Kibana uses an index in Elasticsearch to store saved searches, visualizations and
# dashboards. Kibana creates a new index if the index doesn't already exist.
#kibana.index: ".kibana"

# The default application to load.
#kibana.defaultAppId: "home"

# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
elasticsearch.username: "kibana"
elasticsearch.password: "${ES_KIBANA}"

# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/ssl/certs/kibana.domain.com.crt
server.ssl.key: /etc/kibana/ssl/private/kibana.domain.com.key

# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files validate that your Elasticsearch backend uses the same key files.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key

# Optional setting that enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
elasticsearch.ssl.certificateAuthorities: [ "/etc/ssl/certs/CA.pem" ]

# To disregard the validity of SSL certificates, change this setting's value to 'none'.
elasticsearch.ssl.verificationMode: full

# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500

# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
# must be a positive integer.
#elasticsearch.requestTimeout: 30000

# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
# headers, set this value to [] (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]

# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
#elasticsearch.customHeaders: {}

# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
#elasticsearch.shardTimeout: 30000

# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.
#elasticsearch.startupTimeout: 5000

# Logs queries sent to Elasticsearch. Requires logging.verbose set to true.
#elasticsearch.logQueries: false

# Specifies the path where Kibana creates the process ID file.
#pid.file: /var/run/kibana.pid

# Enables you specify a file where Kibana stores log output.
#logging.dest: stdout
logging.dest: /var/log/kibana/kibana.log

# Set the value of this setting to true to suppress all logging output.
#logging.silent: false

# Set the value of this setting to true to suppress all logging output other than error messages.
#logging.quiet: false

# Set the value of this setting to true to log all events, including system usage information
# and all requests.
#logging.verbose: false

# Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 5000.
#ops.interval: 5000

# Specifies locale to be used for all localizable strings, dates and number formats.
# Supported languages are the following: English - en , by default , Chinese - zh-CN .
#i18n.locale: "en"

# Security settings
xpack.security.enabled: True
xpack.security.sessionTimeout: 3600000
xpack.security.encryptionKey: "${K_KEY_SECURITY}"
xpack.security.secureCookies: true
xpack.encrypted_saved_objects.encryptionKey: "${K_KEY_ESO}"
xpack.security.audit.enabled: true

# Monitoring Elastic Nodes
xpack.monitoring.elasticsearch.hosts:
  - "https://elastic-node1.domain.com:9200"
  - "https://elastic-node2.domain.com:9200"
  - "https://elastic-node3.domain.com:9200"
  - "https://elastic-node4.domain.com:9200"
xpack.monitoring.elasticsearch.ssl.certificateAuthorities: "/etc/ssl/certs/CA.pem"

# Reporting settings
xpack.reporting.enabled: false
xpack.reporting.encryptionKey: "${K_KEY_REPORTING}"
xpack.reporting.capture.browser.chromium.disableSandbox: false

# Machine Learning settings
xpack.ml.enabled: false

Logstash output Configuration (one of them):

        elasticsearch {
          ssl => true
          ssl_certificate_verification => true
          hosts => ["https://elastic-node1.domain.com:9200","https://elastic-node2.domain.com:9200","https://elastic-node3.domain.com:9200","https://elastic-node4.domain.com:9200"]                                                                                                                                               
          cacert => "/etc/ssl/certs/CA.pem"
          user => logstash_internal
          password => "${ES_LOGSTASH_INT}"
          manage_template => false
          index => "%{[@metadata][beat]}-common-%{+YYYY.MM}"
        }

Luca_Belluccini · December 11, 2019, 10:12am

Hello,

Regarding the following options in kibana.yml:

elasticsearch.ssl.certificateAuthorities: [ "/etc/ssl/certs/CA.pem" ]
elasticsearch.ssl.verificationMode: full

Could you please test elasticsearch.ssl.verificationMode: certificate ?
Could you please try the following from the Kibana machine and provide us the output?

curl -u elastic https://elastic-node1.domain.com:9200 --cacert /etc/ssl/certs/CA.pem -vvvv
curl -u elastic https://10.3.144.143:9200 --cacert /etc/ssl/certs/CA.pem -vvvv

Vincent_Maury · December 26, 2019, 10:08am

Thank you @Luca_Belluccini we'll have a look at it

jg_opti · January 7, 2020, 4:24pm

Hi,
Sorry to reply you late. Holidays and frozen zone didn't help.
I found an usefull log in the my elk audit file :

{"type":"audit", "timestamp":"2019-12-05T11:27:03,266+0100", "node.id":"gKKpKcb3Semy0AQlItVN0w", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.3.144.147", "transport.profile":".http", "rule":"deny _all"}
{"type":"audit", "timestamp":"2019-12-05T11:27:03,634+0100", "node.id":"gKKpKcb3Semy0AQlItVN0w", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.3.144.148", "transport.profile":".http", "rule":"deny _all"}
{"type":"audit", "timestamp":"2019-12-05T11:27:03,770+0100", "node.id":"gKKpKcb3Semy0AQlItVN0w", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.3.144.147", "transport.profile":".http", "rule":"deny _all"}
{"type":"audit", "timestamp":"2019-12-05T11:27:03,776+0100", "node.id":"gKKpKcb3Semy0AQlItVN0w", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.3.159.11", "transport.profile":".http", "rule":"deny _all"}
{"type":"audit", "timestamp":"2019-12-05T11:27:04,104+0100", "node.id":"gKKpKcb3Semy0AQlItVN0w", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.3.144.148", "transport.profile":".http", "rule":"deny _all"}
{"type":"audit", "timestamp":"2019-12-05T11:27:04,319+0100", "node.id":"gKKpKcb3Semy0AQlItVN0w", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.3.144.141", "transport.profile":".http", "rule":"deny _all"}
{"type":"audit", "timestamp":"2019-12-05T11:27:04,423+0100", "node.id":"gKKpKcb3Semy0AQlItVN0w", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.3.144.142", "transport.profile":".http", "rule":"deny _all"}
{"type":"audit", "timestamp":"2019-12-05T11:27:04,690+0100", "node.id":"gKKpKcb3Semy0AQlItVN0w", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.3.144.147", "transport.profile":".http", "rule":"deny _all"}

i conclude that http filtering settings seems inherit from transport filtering settings with the trial license. See https://github.com/elastic/elasticsearch/issues/41790

I can't try to disable the option for the moment bc it's in production env but i will reply asap.
Jérémy.

system · February 4, 2020, 4:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.