Issue with self signed certificate SSL Certificate Issue

Security
,
1

Hello Team,
I have installed opendistro ES and kibana on linux machine(Server) using RPM.After successfull installation ES status coming as running but I am not able to access elasticsearch and kibana using Server ip address from my local windows machine as below.While hitting below url nothing is accessible.

https://172.16.23.27:9200

[root@master-node ~]# curl -XGET https://localhost:9200
curl: (60) Peer’s Certificate issuer is not recognized.

So I have created self signed certificate and replaced defualt opendistro ssl certificate’s( esnode.pem,esnode-key.pem,kirk-key.pem,kirk.pem,root-ca.pem located in /etc/elasticsearch)
with these self signed certificate but after that Elasticsearch is failed to start.Tried to start elasticsearch with below command

[root@master-node sslcertforopendistro]# sudo systemctl start elasticsearch.service
Job for elasticsearch.service failed because a timeout was exceeded. See “systemctl status elasticsearch.service” and “journalctl -xe” for details.

Please suggest how to access elasticsearch url with IPaddress from other different machine(windows)

Thanks
Sarvendra

2

I had created self signed .jks certificated using below commands.I had passed local ipaddress(192.168.1.3) from that machine where we need to access Elasticsearch url with ipaddress.

keytool -genkeypair -keystore keystore.jks -dname “CN=192.168.1.3, OU=192.168.1.3, O=192.168.1.3, L=noida, ST=up, C=in” -keypass Deepti@1985 -storepass Deepti@1985 -keyalg RSA -alias server -ext SAN=ip:192.168.1.3,ip:0.0.0.0

keytool -export -alias server -file client.cer -keystore keystore.jks

keytool -importcert -file client.cer -keystore truststore.jks -alias server

3

@opendistro Team,
Can you Pleasse suggeston this…how to create,configure and use self signed jkm certificate instead of default certificates.

Thanks
Sarvendra

4

Since these are self-signed, curl will not recognise them use -k with curl to disable certificate check and that should do it,

5

Hi @sarvendras did you manage to get the curl command working?

6

Good Day Friends,

I am currently facing a similar issue in which when I am trying to connect to Kibana I am getting a connection refused and when I do a telnet to the kibana machine it has stopped listening on port 443 but when I am doing a systemctl status Kibana and systemctl status elastic it shows active.

I am not sure how to fix this issue and my Kibana interface is currently down.

I have double checked IPtables and ufw but both seems to be off and I see the following two errors which I am doing curl:

Appreciate some help in this thanks.

curl: (7) Failed connect to securitycenter.salsalabs.net:443; Connection refused
[root@securitycenter elasticsearch]# curl -X GET https://localhost:9200/
curl: (60) Peer’s Certificate issuer is not recognized.

7

Hi,

have you tried it with -k option as mentioned above?
You can also test the connection with openssl:
openssl s_client -connect securitycenter.salsalabs.net:443 -showcerts

Btw. in your link its http://securitycenter.salsalabs.net:443/ not https, so maybe your routing to https doesn’t work ?!?