Using own SSL certificate doesn't work on stack Elasticsearch + Kibana

Hello!

I tried to create production stack kibana + elasticsearch and I am kinda stuck on certificates. Can you help me find the problem in my setting?

Situation:

  1. We have SSL certificate for *.example.com and I need to use that for kibana and elasticsearch.
  2. Elasticsearch works properly and I am able to to visit https://server.example.com:9200 and see JSON data.
  3. But Kibana is not able to validate communication between Kibana <-> Elasticsearch and it throws this error:
kibana         | [2023-07-04T14:43:59.409+00:00][ERROR][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. security_exception
kibana         | 	Root causes:
kibana         | 		security_exception: missing authentication credentials for REST request [/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip]

I tried to find some tutorial how to setup production kibana, but I didn't find any with SSL.

So my thoughts for this problem:

  1. It is easier to generate own self-signed certificates by elasticsearch and have proxy (nginx) to use correct SSL certificate?

My current stack

version: '3'
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.8.0
    container_name: elasticsearch
    environment:
      - "discovery.type=single-node"
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - bootstrap.memory_lock=true
      - "xpack.security.enabled=true"
      - "xpack.security.http.ssl.enabled=true"
      - "xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certs/server.key"
      - "xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certs/server.crt"
      - "xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/server.pem"
      - "xpack.security.transport.ssl.enabled=true"
      - "xpack.security.transport.ssl.verification_mode=certificate"
      - "xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/server.pem"
      - "xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/server.key"
      - "xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/server.crt"
      - "ELASTIC_PASSWORD=kibana123456"
      - "ELASTICSEARCH_SSL_VERIFICATIONMODE=none"
    volumes:
      - esdata:/usr/share/elasticsearch/data
      - ./certs:/usr/share/elasticsearch/config/certs
    ports:
      - 9200:9200
    restart: on-failure

  kibana:
    image: docker.elastic.co/kibana/kibana:8.8.0
    container_name: kibana
    ports:
      - 5601:5601
    restart: on-failure
    environment:
      ELASTICSEARCH_HOSTS: https://elasticsearch:9200
      ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: "/usr/share/kibana/config/certs/server.pem"
      ELASTICSEARCH_SSL_VERIFICATIONMODE: certificate
      SERVER_SSL_ENABLED: "true"
      SERVER_SSL_KEY: "/usr/share/kibana/config/certs/server.key"
      SERVER_SSL_CERTIFICATE: "/usr/share/kibana/config/certs/server.crt"
      ELASTICSEARCH_PASSWORD: "kibana123456"
      "server.publicBaseUrl": "https://server.example.com:5601"
    volumes:
      - ./certs:/usr/share/kibana/config/certs
    depends_on:
      - elasticsearch

volumes:
  esdata:
    driver: local

Any thoughts for that are welcome! Or suggestion how to run it with SSL. Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.