Problems with ssl/tls config?

#1

I’ve been utilizing the rpm’s under centos 7 as well for open distro elasticsearch and kibana and have attempted to replace the certificates for the “reverse proxy” part to wildcard domain certs. I’ve left the default demo certificates in place in /etc/elasticsearch. I’ve also tried replacing localhost with the fqdn under elasticsearch.url in kibana.yml to come up the same basic error.

I’ve tried stipulating in kibana.yml:

server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/mywildcardcert.pem
server.ssl.key: /etc/kibana/mywildcardcert.key

(the rest of the default kibana.yml items that are default are below)

Everything restarts normally – I can even pass curl commands as in the installation docs to 9200 normally and get a response.

I’ve now checked perms and and tried modifying certificate formats… and end up with this in the logs:

Apr 8 14:51:24 blah kibana: {“type”:“log”,"@timestamp":“2019-04-08T12:51:24Z”,“tags”:[“status”,“plugin:console@6.6.2”,“info”],“pid”:8777,“state”:“green”,“message”:“Status changed from uninitialized to green - Ready”,“prevState”:“uninitialized”,“prevMsg”:“uninitialized”}
Apr 8 14:51:24 blah kibana: {“type”:“log”,"@timestamp":“2019-04-08T12:51:24Z”,“tags”:[“error”,“elasticsearch”,“admin”],“pid”:8777,“message”:“Request error, retrying\nHEAD https://localhost:9200/ => connect ECONNREFUSED 127.0.0.1:9200”}
Apr 8 14:51:24 blah kibana: {“type”:“log”,"@timestamp":“2019-04-08T12:51:24Z”,“tags”:[“warning”,“elasticsearch”,“admin”],“pid”:8777,“message”:“Unable to revive connection: https://localhost:9200/”}
Apr 8 14:51:24 blah kibana: {“type”:“log”,"@timestamp":“2019-04-08T12:51:24Z”,“tags”:[“warning”,“elasticsearch”,“admin”],“pid”:8777,“message”:“No living connections”}

Help?

#2

I’m had this same issue with the docker version. I was using a local CA and needed to add ```
elasticsearch.ssl.certificateAuthorities: [ “/path/to/your/CA.pem” ]

#3

Sadly, that didn’t seem to work for me :confused: Here’s what my config looks like vaguely, with the relevant names obfuscated:

server.host: “something.mydomain.com
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/validmydomain.crt
server.ssl.key: /etc/kibana/validmydomain.key

elasticsearch.url: https://localhost:9200
elasticsearch.ssl.verificationMode: none
elasticsearch.ssl.certificate: /etc/kibana/selfsignednodecert.pem
elasticsearch.ssl.key: /etc/kibana/selfsignednodekey.key
elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/selfsignednoderootca.pem"]
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: [“securitytenant”,“Authorization”]

opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: [“Private”, “Global”]
opendistro_security.readonly_mode.roles: [“kibana_read_only”]
opendistro_security.allow_client_certificates: true

Still responding to curl commands…

#4

You might try using the actual hostname instead of localhost or make sure the certificate has a SAN for localgost I have to use actual hostname with the docker container, so can’t use localhost.

#5

I did try using the actual fqdn and the ip (with an entry in /etc/hosts, and a AltSubject of the IP in the self signed cert) as well as 0.0.0.0. I’ve also regenerated the self signed certs more than once just in case…