It is really not a simple task. It cost me around 6 hours to figure it out. Some facts are missing in the online documents of Elasticsearch.
I am using CentOS 7, elasticsearch and kibana 6.5.
(1) generate server certificate for kibana
Use elasticsearch-certutil in the installation directory of elasticsearch, since kibana installation directory has no such utility
details see: https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html
But you need to create a yml file for the setting of subject Alternative name, which is indispensable for TLS/SSL certification by chrome browser.
In my case, it is kibanacert.yml and its contents are:
instances:
- name: "kibana-server"
dns:
- "kibana.node.cn"
Here “ kibana.node.cn” is the subject Alternative name.
Also, you need to specify --pem for the output of separate key and certificate files rather than a single .P12 file, from which cert and key files derived can’t be parsed by kibana ( it is probably a bug of kibana). In my case, it is:
$ elasticsearch-certutil cert --silent --pem --in kibanacert.yml --out kibana-server.zip
it would prompt you with password, you just input your password and it would succeed.
Now you have kibana-server.zip file, move it to kibana installation directory.
$unzip kibana-server.zip
it would create two new directories, one named ca for storing of ca.crt, which is “Elastic Certificate Tool Autogenerated CA”, the other named kibana-server for storing of kibana-server.crt which is the certificate of kibana server, and kibana-server.key, which is the private key of kibana server.
(2) Set kibana host address in kibana.yml
In the config/kibana.yml, Specifies the address to which the Kibana server will bind.
server.host: kibana.node.cn
Please note that it must be set the same as the subject Alternative name of the certificate generated above.
In root mode, add the host name in /etc/hosts, i.e. add one line with the ip address of the server followed by space and the host name, otherwise the browser can’t parse the host name.
10.xx.xx.xx kibana.node.cn
(3) Set server certificate and private key in kibana.yml
In config/kibana.yml , enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
server.ssl.enabled: true
server.ssl.certificate: /path to the certificate/kibana-server.crt
server.ssl.key: /path to the key/kibana-server.key
(4) Configure Kibana to connect to Elasticsearch via HTTPS:
Just follow the steps in
https://www.elastic.co/guide/en/kibana/current/configuring-tls.html#configuring-tls
elasticsearch.ssl.certificateAuthorities:
must be the same as the one you created for elasticsearch.
(5) run bin/kibana
should run successfully
(6) import certificate files in chrome browser
Merge the certificate and key into one .p12 file
openssl pkcs12 -export -out kibana-server.p12 -inkey kibana-server.key -in kibana-server.crt
The kibana-server.p12 file is created.
In the Chrome Settins→Advanced→Manage certificate, in “Your certificate”, import the kibana-server.p12. In “Authorities”, import the ca.crt and select “Trust this certificate for identifying website”.
(7) run chrome browser
It would display a window for you to log-in If your Elasticsearch is protected with basic authentication or it would automatically connect to elasticsearch. Now it is done.