Hello!
I tried to create production stack kibana + elasticsearch and I am kinda stuck on certificates. Can you help me find the problem in my setting?
Situation:
- We have SSL certificate for
*.example.com
and I need to use that for kibana and elasticsearch. - Elasticsearch works properly and I am able to to visit
https://server.example.com:9200
and see JSON data. - But Kibana is not able to validate communication between Kibana <-> Elasticsearch and it throws this error:
kibana | [2023-07-04T14:43:59.409+00:00][ERROR][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. security_exception
kibana | Root causes:
kibana | security_exception: missing authentication credentials for REST request [/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip]
I tried to find some tutorial how to setup production kibana, but I didn't find any with SSL.
So my thoughts for this problem:
- It is easier to generate own self-signed certificates by elasticsearch and have proxy (nginx) to use correct SSL certificate?
My current stack
version: '3'
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:8.8.0
container_name: elasticsearch
environment:
- "discovery.type=single-node"
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- bootstrap.memory_lock=true
- "xpack.security.enabled=true"
- "xpack.security.http.ssl.enabled=true"
- "xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certs/server.key"
- "xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certs/server.crt"
- "xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/server.pem"
- "xpack.security.transport.ssl.enabled=true"
- "xpack.security.transport.ssl.verification_mode=certificate"
- "xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/server.pem"
- "xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/server.key"
- "xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/server.crt"
- "ELASTIC_PASSWORD=kibana123456"
- "ELASTICSEARCH_SSL_VERIFICATIONMODE=none"
volumes:
- esdata:/usr/share/elasticsearch/data
- ./certs:/usr/share/elasticsearch/config/certs
ports:
- 9200:9200
restart: on-failure
kibana:
image: docker.elastic.co/kibana/kibana:8.8.0
container_name: kibana
ports:
- 5601:5601
restart: on-failure
environment:
ELASTICSEARCH_HOSTS: https://elasticsearch:9200
ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: "/usr/share/kibana/config/certs/server.pem"
ELASTICSEARCH_SSL_VERIFICATIONMODE: certificate
SERVER_SSL_ENABLED: "true"
SERVER_SSL_KEY: "/usr/share/kibana/config/certs/server.key"
SERVER_SSL_CERTIFICATE: "/usr/share/kibana/config/certs/server.crt"
ELASTICSEARCH_PASSWORD: "kibana123456"
"server.publicBaseUrl": "https://server.example.com:5601"
volumes:
- ./certs:/usr/share/kibana/config/certs
depends_on:
- elasticsearch
volumes:
esdata:
driver: local
Any thoughts for that are welcome! Or suggestion how to run it with SSL. Thanks!