Using own SSL certificate doesn't work on stack Elasticsearch + Kibana

Elastic Stack Elasticsearch
1

Hello!

I tried to create production stack kibana + elasticsearch and I am kinda stuck on certificates. Can you help me find the problem in my setting?

Situation:

  1. We have SSL certificate for *.example.com and I need to use that for kibana and elasticsearch.
  2. Elasticsearch works properly and I am able to to visit https://server.example.com:9200 and see JSON data.
  3. But Kibana is not able to validate communication between Kibana <-> Elasticsearch and it throws this error:
kibana         | [2023-07-04T14:43:59.409+00:00][ERROR][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. security_exception
kibana         | 	Root causes:
kibana         | 		security_exception: missing authentication credentials for REST request [/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip]

I tried to find some tutorial how to setup production kibana, but I didn't find any with SSL.

So my thoughts for this problem:

  1. It is easier to generate own self-signed certificates by elasticsearch and have proxy (nginx) to use correct SSL certificate?

My current stack

version: '3'
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.8.0
    container_name: elasticsearch
    environment:
      - "discovery.type=single-node"
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - bootstrap.memory_lock=true
      - "xpack.security.enabled=true"
      - "xpack.security.http.ssl.enabled=true"
      - "xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certs/server.key"
      - "xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certs/server.crt"
      - "xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/server.pem"
      - "xpack.security.transport.ssl.enabled=true"
      - "xpack.security.transport.ssl.verification_mode=certificate"
      - "xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/server.pem"
      - "xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/server.key"
      - "xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/server.crt"
      - "ELASTIC_PASSWORD=kibana123456"
      - "ELASTICSEARCH_SSL_VERIFICATIONMODE=none"
    volumes:
      - esdata:/usr/share/elasticsearch/data
      - ./certs:/usr/share/elasticsearch/config/certs
    ports:
      - 9200:9200
    restart: on-failure

  kibana:
    image: docker.elastic.co/kibana/kibana:8.8.0
    container_name: kibana
    ports:
      - 5601:5601
    restart: on-failure
    environment:
      ELASTICSEARCH_HOSTS: https://elasticsearch:9200
      ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: "/usr/share/kibana/config/certs/server.pem"
      ELASTICSEARCH_SSL_VERIFICATIONMODE: certificate
      SERVER_SSL_ENABLED: "true"
      SERVER_SSL_KEY: "/usr/share/kibana/config/certs/server.key"
      SERVER_SSL_CERTIFICATE: "/usr/share/kibana/config/certs/server.crt"
      ELASTICSEARCH_PASSWORD: "kibana123456"
      "server.publicBaseUrl": "https://server.example.com:5601"
    volumes:
      - ./certs:/usr/share/kibana/config/certs
    depends_on:
      - elasticsearch

volumes:
  esdata:
    driver: local

Any thoughts for that are welcome! Or suggestion how to run it with SSL. Thanks!

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.