Using https to login to Kibana

Elastic Stack Kibana
1

Hi All,

I'm trying to use TLS (https) to secure login to kibana in my testing environment.

My environment worked correctly before setting security, I used to login to Kibana http://192.168.2.213:5610 and used to work.

I've successfully secured elastic search: https://192.168.2.213:9200/


    |name|"node-1"|
    |---|---|
    |cluster_name|"elasticsearch"|
    |cluster_uuid|"w2bByNT1TIGSFbgTk-kY4g"|
    |version||
    |number|"7.6.2"|
    |build_flavor|"default"|
    |build_type|"deb"|
    |build_hash|"ef48eb35cf30adf4db14086e8aabd07ef6fb113f"|
    |build_date|"2020-03-26T06:34:37.794943Z"|
    |build_snapshot|false|
    |lucene_version|"8.4.0"|
    |minimum_wire_compatibility_version|"6.8.0"|
    |minimum_index_compatibility_version|"6.0.0-beta1"|
    |tagline|"You Know, for Search"|


    # ======================== Elasticsearch Configuration =========================
    #
    # NOTE: Elasticsearch comes with reasonable defaults for most settings.
    #       Before you set out to tweak and tune the configuration, make sure you
    #       understand what are you trying to accomplish and the consequences.
    #
    # The primary way of configuring a node is via this file. This template lists
    # the most important settings you may want to configure for a production cluster.
    #
    # Please consult the documentation for further information on configuration options:
    # https://www.elastic.co/guide/en/elasticsearch/reference/index.html
    #
    # ---------------------------------- Cluster -----------------------------------
    #
    # Use a descriptive name for your cluster:
    #
    #cluster.name: my-application
    #
    # ------------------------------------ Node ------------------------------------
    #
    # Use a descriptive name for the node:
    #
    node.name: node-1
    #
    # Add custom attributes to the node:
    #
    #node.attr.rack: r1
    #
    # ----------------------------------- Paths ------------------------------------
    #
    # Path to directory where to store the data (separate multiple locations by comma):
    #
    path.data: /var/lib/elasticsearch
    #
    # Path to log files:
    #
    path.logs: /var/log/elasticsearch
    #

    # ----------------------------------- Memory -----------------------------------
    #
    # Lock the memory on startup:
    #
    #bootstrap.memory_lock: true
    #
    # Make sure that the heap size is set to about half the memory available
    # on the system and that the owner of the process is allowed to use this
    # limit.
    #
    # Elasticsearch performs poorly when the system is swapping the memory.
    #
    # ---------------------------------- Network -----------------------------------
    #
    # Set the bind address to a specific IP (IPv4 or IPv6):
    #
    network.host: 192.168.2.213
    #
    # Set a custom port for HTTP:
    #
    http.port: 9200
    #
    # For more information, consult the network module documentation.
    #
    # --------------------------------- Discovery ----------------------------------
    #
    # Pass an initial list of hosts to perform discovery when this node is started:
    # The default list of hosts is ["127.0.0.1", "[::1]"]
    #
    # discovery.type: single-node

    discovery.seed_hosts: ["192.168.2.213", "[::1]"]
    #
    # Bootstrap the cluster using an initial set of master-eligible nodes:
    #
    cluster.initial_master_nodes: ["node-1"]
    #
    # For more information, consult the discovery and cluster formation module documentation.
    #
    # ---------------------------------- Gateway -----------------------------------
    #
    # Block initial recovery after a full cluster restart until N nodes are started:
    #
    #gateway.recover_after_nodes: 3
    #
    # For more information, consult the gateway module documentation.
    #
    # ---------------------------------- Various -----------------------------------
    #
    # Require explicit names when deleting indices:
    #
    #action.destructive_requires_name: true

    xpack.security.enabled: true

    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.keystore.path: "http.p12"

Kibana.yaml

    # Kibana is served by a back end server. This setting specifies the port to use.
    server.port: 5601

    # Specifies the address to which the Kibana server will bind. IP addresses and host names are both val$
    # The default is 'localhost', which usually means remote machines will not be able to connect.
    # To allow connections from remote users, set this parameter to a non-loopback address.
    server.host: "192.168.2.213"

    # Enables you to specify a path to mount Kibana at if you are running behind a proxy.
    # Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
    # from requests it receives, and to prevent a deprecation warning at startup.
    # This setting cannot end in a slash.
    #server.basePath: ""

    # Specifies whether Kibana should rewrite requests that are prefixed with
    # `server.basePath` or require that they are rewritten by your reverse proxy.
    # This setting was effectively always `false` before Kibana 6.3 and will
    # default to `true` starting in Kibana 7.0.
    #server.rewriteBasePath: false

    # The maximum payload size in bytes for incoming server requests.
    #server.maxPayloadBytes: 1048576

    # The Kibana server's name.  This is used for display purposes.
    server.name: "kibana"

    # The URLs of the Elasticsearch instances to use for all your queries.
    elasticsearch.hosts: ["https://192.168.2.213:9200/"]

    # When this setting's value is true Kibana uses the hostname specified in the server.host
    # setting. When the value of this setting is false, Kibana uses the hostname of the host
    # that connects to this Kibana instance.
    #elasticsearch.preserveHost: true

    # Kibana uses an index in Elasticsearch to store saved searches, visualizations and
    # dashboards. Kibana creates a new index if the index doesn't already exist.
    #kibana.index: ".kibana"
    # The default application to load.
    #kibana.defaultAppId: "home"

    # If your Elasticsearch is protected with basic authentication, these settings provide
    # the username and password that the Kibana server uses to perform maintenance on the Kibana
    # index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
    # is proxied through the Kibana server.
    elasticsearch.username: "kibana"
    elasticsearch.password: "@dm!n123"

    # Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
    # These settings enable SSL for outgoing requests from the Kibana server to the browser.
    #server.ssl.enabled: false
    #server.ssl.certificate: /path/to/your/server.crt
    #server.ssl.key: /path/to/your/server.key
    server.ssl.enabled: true
    server.ssl.keystore.path: "/etc/kibana/kibana-server.p12"

Here how I created the cert and signed it the stack CA:

`sudo  /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 -name kibana-server -dns some-website.com,www.some-website.com --ip 192.168.2.213`

I think my problem is in creating the certificate.

Thanks in advance.

2

What doesn't work now ? What are you doing, what were you expecting to happen and what happened instead ?

3

Oh, sorry.

I need to login to Kibana via https. I've tested https://192.168.2.213 but the results: Unable to connect

4

This is rather generic. It's always better to share the exact errors and all the details up front so that folks can help you out. What is the actual error on your web browser ? What is written in the kibana logs ? Is kibana even running?

5

Sorry, I'm new to this.

Kibana tricked me first as I've checked its status it was active, but I found that it stops after like 10 secs.

As I can't see a kibana.log file I've checked using this command:

sudo tail -n 100 /var/log/syslog

and found the below errors:


    pr  9 18:06:42 amdin1-virtual-machine systemd[1]: Stopped Kibana.
    Apr  9 18:06:42 amdin1-virtual-machine systemd[1]: Started Kibana.
    Apr  9 18:06:45 amdin1-virtual-machine kibana[3050]: {"type":"log","@timestamp":"2020-04-09T15:06:45Z","tags":["info","plugins-service"],"pid":3050,"message":"Plugin \"case\" is disabled."}
    Apr  9 18:06:48 amdin1-virtual-machine kibana[3050]: {"type":"log","@timestamp":"2020-04-09T15:06:48Z","tags":["fatal","root"],"pid":3050,"message":"{ Error: EACCES: permission denied, open '/etc/kibana/kibana-server.p12'\n    at Object.openSync (fs.js:443:3)\n    at readFileSync (fs.js:343:35)\n    at readPkcs12Keystore (/usr/share/kibana/src/core/utils/crypto/pkcs12.js:58:42)\n    at new SslConfig (/usr/share/kibana/src/core/server/http/ssl_config.js:119:41)\n    at new HttpConfig (/usr/share/kibana/src/core/server/http/http_config.js:157:16)\n    at MapSubscriber.HttpService.config$.pipe [as project] (/usr/share/kibana/src/core/server/http/http_service.js:57:177)\n    at MapSubscriber._next (/usr/share/kibana/node_modules/rxjs/internal/operators/map.js:49:35)\n    at MapSubscriber.Subscriber.next (/usr/share/kibana/node_modules/rxjs/internal/Subscriber.js:66:18)\n    at CombineLatestSubscriber.notifyNext (/usr/share/kibana/node_modules/rxjs/internal/observable/combineLatest.js:97:34)\n    at InnerSubscriber._next (/usr/share/kibana/node_modules/rxjs/internal/InnerSubscriber.js:28:21)\n    at InnerSubscriber.Subscriber.next (/usr/share/kibana/node_modules/rxjs/internal/Subscriber.js:66:18)\n    at MapSubscriber._next (/usr/share/kibana/node_modules/rxjs/internal/operators/map.js:55:26)\n    at MapSubscriber.Subscriber.next (/usr/share/kibana/node_modules/rxjs/internal/Subscriber.js:66:18)\n    at DistinctUntilChangedSubscriber._next (/usr/share/kibana/node_modules/rxjs/internal/operators/distinctUntilChanged.js:69:30)\n    at DistinctUntilChangedSubscriber.Subscriber.next (/usr/share/kibana/node_modules/rxjs/internal/Subscriber.js:66:18)\n    at MapSubscriber._next (/usr/share/kibana/node_modules/rxjs/internal/operators/map.js:55:26)\n  errno: -13,\n  syscall: 'open',\n  code: 'EACCES',\n  path: '/etc/kibana/kibana-server.p12' }"}
    Apr  9 18:06:48 amdin1-virtual-machine kibana[3050]:  FATAL  Error: EACCES: permission denied, open '/etc/kibana/kibana-server.p12'
    Apr  9 18:06:48 amdin1-virtual-machine systemd[1]: kibana.service: Main process exited, code=exited, status=1/FAILURE
    Apr  9 18:06:48 amdin1-virtual-machine systemd[1]: kibana.service: Failed with result 'exit-code'.
    Apr  9 18:06:51 amdin1-virtual-machine systemd[1]: kibana.service: Service hold-off time over, scheduling restart.
    Apr  9 18:06:51 amdin1-virtual-machine systemd[1]: kibana.service: Scheduled restart job, restart counter is at 3.
    Apr  9 18:06:51 amdin1-virtual-machine systemd[1]: Stopped Kibana.
    Apr  9 18:06:51 amdin1-virtual-machine systemd[1]: kibana.service: Start request repeated too quickly.
    Apr  9 18:06:51 amdin1-virtual-machine systemd[1]: kibana.service: Failed with result 'exit-code'.
    Apr  9 18:06:51 amdin1-virtual-machine systemd[1]: Failed to start Kibana.

I've checked the path of this /etc/kibana/kibana-server.p12 and I can see it is there.

Here is how this p12 is generated:

sudo  /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 -name kibana-server -dns some-website.com,www.some-website.com --ip 192.168.2.213

I don't know if some values should be changed?

Thanks for your patience :slight_smile:

6

It looks like kibana can't read that file though. What are the permissions for that file and the directory, can you share the output of the command

ls -la /etc/kibana/kibana-server.p12

and

ls -la /etc/kibana
7 
    amdin1@amdin1-virtual-machine:/etc/kibana$ ls -la /etc/kibana/kibana-server.p12
    -rw------- 1 root root 3533 Apr  9 15:03 /etc/kibana/kibana-server.p12
    amdin1@amdin1-virtual-machine:/etc/kibana$ ls -la /etc/kibana
    total 36
    drwxrwxr-x   2 root root  4096 Apr  9 18:06 .
    drwxr-xr-x 129 root root 12288 Apr  8 10:53 ..
    -rw-r--r--   1 root root  3009 Mar 26 09:22 apm.js
    -rw-r--r--   1 root root  1200 Apr  9 14:02 elasticsearch-ca.pem
    -rw-------   1 root root  3533 Apr  9 15:03 kibana-server.p12
    -rw-r--r--   1 root root  5427 Apr  9 18:06 kibana.yml

I've sudo chmod 644 kibana-server.p12 , tested again and got this error, which is not a permission denied.

Started Kibana.
Apr  9 19:37:11 amdin1-virtual-machine kibana[3256]: {"type":"log","@timestamp":"2020-04-09T16:37:11Z","tags":["info","plugins-service"],"pid":3256,"message":"Plugin \"case\" is disabled."}
Apr  9 19:37:15 amdin1-virtual-machine kibana[3256]: {"type":"log","@timestamp":"2020-04-09T16:37:15Z","tags":["fatal","root"],"pid":3256,"message":"Error: PKCS#12 MAC could not be verified. Invalid password?\n    at Object.p12.pkcs12FromAsn1 (/usr/share/kibana/node_modules/node-forge/lib/pkcs12.js:475:13)\n    at readPkcs12Keystore (/usr/share/kibana/src/core/utils/crypto/pkcs12.js:64:33)\n    at new SslConfig (/usr/share/kibana/src/core/server/http/ssl_config.js:119:41)\n    at new HttpConfig (/usr/share/kibana/src/core/server/http/http_config.js:157:16)\n    at MapSubscriber.HttpService.config$.pipe [as project] (/usr/share/kibana/src/core/server/http/http_service.js:57:177)\n    at MapSubscriber._next (/usr/share/kibana/node_modules/rxjs/internal/operators/map.js:49:35)\n    at MapSubscriber.Subscriber.next (/usr/share/kibana/node_modules/rxjs/internal/Subscriber.js:66:18)\n    at CombineLatestSubscriber.notifyNext (/usr/share/kibana/node_modules/rxjs/internal/observable/combineLatest.js:97:34)\n    at InnerSubscriber._next (/usr/share/kibana/node_modules/rxjs/internal/InnerSubscriber.js:28:21)\n    at InnerSubscriber.Subscriber.next (/usr/share/kibana/node_modules/rxjs/internal/Subscriber.js:66:18)\n    at MapSubscriber._next (/usr/share/kibana/node_modules/rxjs/internal/operators/map.js:55:26)\n    at MapSubscriber.Subscriber.next (/usr/share/kibana/node_modules/rxjs/internal/Subscriber.js:66:18)\n    at DistinctUntilChangedSubscriber._next (/usr/share/kibana/node_modules/rxjs/internal/operators/distinctUntilChanged.js:69:30)\n    at DistinctUntilChangedSubscriber.Subscriber.next (/usr/share/kibana/node_modules/rxjs/internal/Subscriber.js:66:18)\n    at MapSubscriber._next (/usr/share/kibana/node_modules/rxjs/internal/operators/map.js:55:26)\n    at MapSubscriber.Subscriber.next (/usr/share/kibana/node_modules/rxjs/internal/Subscriber.js:66:18)"}
Apr  9 19:37:15 amdin1-virtual-machine kibana[3256]:  FATAL  Error: PKCS#12 MAC could not be verified. Invalid password?
Apr  9 19:37:15 amdin1-virtual-machine systemd[1]: kibana.service: Main process exited, code=exited, status=1/FAILURE
Apr  9 19:37:15 amdin1-virtual-machine systemd[1]: kibana.service: Failed with result 'exit-code'.
Apr  9 19:37:18 amdin1-virtual-machine systemd[1]: kibana.service: Service hold-off time over, scheduling restart.
Apr  9 19:37:18 amdin1-virtual-machine systemd[1]: kibana.service: Scheduled restart job, restart counter is at 3.
Apr  9 19:37:18 amdin1-virtual-machine systemd[1]: Stopped Kibana.
Apr  9 19:37:18 amdin1-virtual-machine systemd[1]: kibana.service: Start request repeated too quickly.
Apr  9 19:37:18 amdin1-virtual-machine systemd[1]: kibana.service: Failed with result 'exit-code'.
Apr  9 19:37:18 amdin1-virtual-machine systemd[1]: Failed to start Kibana.

PS: I didn't set a password for the kibana-server.p12

2 Likes
8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.