Cannot redirect to Kibana when using mixed certificates

Hi!
It was the time to shift the build from dev to production and now I am facing this weird issue. Yes, I am the one who opened this question back then.
The problem is that, now, we have a domain for the Keycloak instance (say keycloak.myapp.com) but for the Kibana, we are still using self signed certificate using openssl. Maybe there is something I am missing but with this setup, Keycloak doesn’t find Kibana redirects.

The command I used to generate the root-ca:

# Root CA
openssl genrsa -out root-ca-key.pem 4096
openssl req -days 3652 -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -subj "/C=US/L=Texas/O=Somewhere/OU=Something/CN=keycloak.myapp.com"

My config.yml entry:

openid_connect_url: https://keycloak.myapp.com/auth/realms/kibana_realm/.well-known/openid-configuration 

My kibana.yml entry:

opendistro_security.openid.connect_url: "https://keycloak.myapp.com/auth/realms/kibana_realm/.well-known/openid-configuration"

Note: I checked the certs generated from Let’s Encrypt and the CN contains “keycloak.myapp.com”.
Thanks in advance.

Hi @godhelpus

When you say Kibana certificate, you mean certificate configured in server.ssl.certificate? If so, it’s completely fine to use self-signed there.

However

opendistro_security.openid.root_ca:

in kibana.yml and

openid_connect_idp.pemtrustedcas_filepath:

in config.yml must refer to the same keycloack’s certificate or keycloack’s root CA.
Also, be sure that keycloak’s certificate has FQDN in SAN.

Hi @pablo
I did exactly what you mentioned in the config.yml and kibana.yml file and it’s working fine now. Thank you very much.

If I had 2 different certs for Keycloak and Kibana, (say “keycloak.myapp.com” and “kibana.myapp.com” respectively), what shall be the configurations?
My current config looks like this:

Kibana.yml

server.host: IP_ADDRESS # change this in production
server.port: PORT
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
elasticsearch.password: PASSWORD # change this in production
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/usr/share/kibana/config/kibana-key.pem" #self signed
server.ssl.certificate: "/usr/share/kibana/config/kibana.pem" #self signed
elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/config/root-ca.pem"] #self signed
opendistro_security.openid.root_ca: "/usr/share/kibana/config/leca.pem" #Let's Encrypt CA

## ADDED
opendistro_security.auth.type: "openid"
opendistro_security.openid.connect_url: "https://keycloak.myapp.com/auth/realms/kibana_realm/.well-known/openid-configuration" # change this in production
opendistro_security.openid.client_id: "kibana_client" # change this in production
opendistro_security.openid.client_secret: "SECRET" # change this in production

opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.enable_global: true
opendistro_security.multitenancy.tenants.enable_private: true
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.multitenancy.enable_filter: false

My config.yml

      openid_auth_domain:
        order: 1
        http_enabled: true
        transport_enabled: true
        http_authenticator:
          type: openid
          challenge: false
          config:
            openid_connect_url: https://keycloak.myapp.com/auth/realms/kibana_realm/.well-known/openid-configuration # change this in production
            subject_key: "preferred_username"
            roles_key: "roles"
            openid_connect_idp.pemtrustedcas_filepath: "/usr/share/elasticsearch/config/leca.pem" #Let's Encrypt CA
            openid_connect_idp.enable_ssl: true
            openid_connect_idp.verify_hostnames: false
        authentication_backend:
          type: noop

Thanks in advance.

Also, do you recommend to keep Keycloak and Kibana on the same instance (either on the same cluster or on same physical/logical node) or on different instance (on a different cluster)?

@godhelpus

Regarding Keycloak and Kibana placement, for the production environment, it is always better to separate and create redundancy.

Regarding the certs, your config is correct. Both Kibana and ES security plug-in can successfully verify Keycloak’s certificate against the defined Root CA certificate.

When you have two certs Keycloak (keycloak.myapp.com) and Kibana (kibana.myapp.com), Kibana cert must be defined in

server.ssl.certificate

if you decide to enable SSL for Kibana Web Client. Keycloack certificate, as I mentioned before, must be configured in kibana.yml

opendistro_security.openid.root_ca:

and

openid_connect_idp.pemtrustedcas_filepath: