What does "A secure connection is required for log in" mean?

security

(Li Jessen) #1

When I enables secured transmission (TLS/SSL) in both elasticsearch and kibana, I got the following window after running both app successfully. What does it mean? And what should I do next?


(Ioannis Kakavas) #2

It means that you have set secureCookies to true in kibana.yml and you haven't enabled TLS for http in Kibana.

Setting secureCookies means that the session cookie gets the secure flag set which means that your browser will only send it over https connections. But the fact that TLS for http is not enabled in Kibana, it means that your browser is not communicating over https with Kibana and as such cannot send the session cookie, leaving Kibana unable to keep you logged in. This is why you get this error up front, so that you can correct your configuration.


(Li Jessen) #3

You mean that I need "Configure Kibana to encrypt communications between the browser and the Kibana server" as the url you provided?


(Ioannis Kakavas) #4

Depends on what you want to do. Cookies with secure flag work only over https connections.

You can either:

  • Enable secureCookies and configure TLS for http in kibana ( This is the "Configure Kibana to encrypt communications between the browser and the Kibana server" part)
  • Disable secureCookies if for any reason you don't want to use https for accessing Kibana

(Li Jessen) #5

It is really not a simple task. It cost me around 6 hours to figure it out. Some facts are missing in the online documents of Elasticsearch.
I am using CentOS 7, elasticsearch and kibana 6.5.

(1) generate server certificate for kibana

Use elasticsearch-certutil in the installation directory of elasticsearch, since kibana installation directory has no such utility

details see: https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html

But you need to create a yml file for the setting of subject Alternative name, which is indispensable for TLS/SSL certification by chrome browser.

In my case, it is kibanacert.yml and its contents are:

instances:
 - name: "kibana-server"
   dns:
        - "kibana.node.cn"

Here “ kibana.node.cn” is the subject Alternative name.

Also, you need to specify --pem for the output of separate key and certificate files rather than a single .P12 file, from which cert and key files derived can’t be parsed by kibana ( it is probably a bug of kibana). In my case, it is:

$ elasticsearch-certutil cert --silent --pem --in kibanacert.yml --out kibana-server.zip

it would prompt you with password, you just input your password and it would succeed.

Now you have kibana-server.zip file, move it to kibana installation directory.

$unzip kibana-server.zip

it would create two new directories, one named ca for storing of ca.crt, which is “Elastic Certificate Tool Autogenerated CA”, the other named kibana-server for storing of kibana-server.crt which is the certificate of kibana server, and kibana-server.key, which is the private key of kibana server.

(2) Set kibana host address in kibana.yml

In the config/kibana.yml, Specifies the address to which the Kibana server will bind.

server.host: kibana.node.cn

Please note that it must be set the same as the subject Alternative name of the certificate generated above.

In root mode, add the host name in /etc/hosts, i.e. add one line with the ip address of the server followed by space and the host name, otherwise the browser can’t parse the host name.

10.xx.xx.xx kibana.node.cn

(3) Set server certificate and private key in kibana.yml

In config/kibana.yml , enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.

server.ssl.enabled: true

server.ssl.certificate: /path to the certificate/kibana-server.crt

server.ssl.key: /path to the key/kibana-server.key

(4) Configure Kibana to connect to Elasticsearch via HTTPS:

Just follow the steps in

https://www.elastic.co/guide/en/kibana/current/configuring-tls.html#configuring-tls

elasticsearch.ssl.certificateAuthorities:

must be the same as the one you created for elasticsearch.

(5) run bin/kibana

should run successfully

(6) import certificate files in chrome browser

Merge the certificate and key into one .p12 file

openssl pkcs12 -export -out kibana-server.p12 -inkey kibana-server.key -in kibana-server.crt

The kibana-server.p12 file is created.

In the Chrome Settins→Advanced→Manage certificate, in “Your certificate”, import the kibana-server.p12. In “Authorities”, import the ca.crt and select “Trust this certificate for identifying website”.

(7) run chrome browser

https://kibana.node.cn:6501

It would display a window for you to log-in If your Elasticsearch is protected with basic authentication or it would automatically connect to elasticsearch. Now it is done.


How to generate a server certificate for Kibana?
How to establish secured connection to elasticsearch
How to connect Kibana to Elasticsearch when http ssl is enabled