What does "A secure connection is required for log in" mean?

It is really not a simple task. It cost me around 6 hours to figure it out. Some facts are missing in the online documents of Elasticsearch.
I am using CentOS 7, elasticsearch and kibana 6.5.

(1) generate server certificate for kibana

Use elasticsearch-certutil in the installation directory of elasticsearch, since kibana installation directory has no such utility

details see: https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html

But you need to create a yml file for the setting of subject Alternative name, which is indispensable for TLS/SSL certification by chrome browser.

In my case, it is kibanacert.yml and its contents are:

instances:
 - name: "kibana-server"
   dns:
        - "kibana.node.cn"

Here “ kibana.node.cn” is the subject Alternative name.

Also, you need to specify --pem for the output of separate key and certificate files rather than a single .P12 file, from which cert and key files derived can’t be parsed by kibana ( it is probably a bug of kibana). In my case, it is:

$ elasticsearch-certutil cert --silent --pem --in kibanacert.yml --out kibana-server.zip

it would prompt you with password, you just input your password and it would succeed.

Now you have kibana-server.zip file, move it to kibana installation directory.

$unzip kibana-server.zip

it would create two new directories, one named ca for storing of ca.crt, which is “Elastic Certificate Tool Autogenerated CA”, the other named kibana-server for storing of kibana-server.crt which is the certificate of kibana server, and kibana-server.key, which is the private key of kibana server.

(2) Set kibana host address in kibana.yml

In the config/kibana.yml, Specifies the address to which the Kibana server will bind.

server.host: kibana.node.cn

Please note that it must be set the same as the subject Alternative name of the certificate generated above.

In root mode, add the host name in /etc/hosts, i.e. add one line with the ip address of the server followed by space and the host name, otherwise the browser can’t parse the host name.

10.xx.xx.xx kibana.node.cn

(3) Set server certificate and private key in kibana.yml

In config/kibana.yml , enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.

server.ssl.enabled: true

server.ssl.certificate: /path to the certificate/kibana-server.crt

server.ssl.key: /path to the key/kibana-server.key

(4) Configure Kibana to connect to Elasticsearch via HTTPS:

Just follow the steps in

https://www.elastic.co/guide/en/kibana/current/configuring-tls.html#configuring-tls

elasticsearch.ssl.certificateAuthorities:

must be the same as the one you created for elasticsearch.

(5) run bin/kibana

should run successfully

(6) import certificate files in chrome browser

Merge the certificate and key into one .p12 file

openssl pkcs12 -export -out kibana-server.p12 -inkey kibana-server.key -in kibana-server.crt

The kibana-server.p12 file is created.

In the Chrome Settins→Advanced→Manage certificate, in “Your certificate”, import the kibana-server.p12. In “Authorities”, import the ca.crt and select “Trust this certificate for identifying website”.

(7) run chrome browser

https://kibana.node.cn:6501

It would display a window for you to log-in If your Elasticsearch is protected with basic authentication or it would automatically connect to elasticsearch. Now it is done.