Kibana using SSL on the security-configuration page broken in OD 1.2.1 release using Debian

I have clean installed opendistroforelasticsearch-kibana_1.2.1_amd64.deb on multiple “Ubuntu 16.04.4 LTS” host servers. All installations I am experiencing the same MAJOR BLOCKER.

After installing opendistroforelasticsearch-kibana (1.2.1), Unfortunately I am experiencing a blocker when opening the Kibana security-configuration page using the latest Chrome (v79.0.3945.79 - 64-bit) and Firefox (v71.0 - 64-bit) Browsers, reporting "Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘unsafe-eval’” in browser console and causing required missing icons to administrate ES.

Examination of the broken page source shows the error message “This Kibana installation has strict security requirements enabled that your current browser does not meet.” while the Browser console reports invalid 404 URLs

GET{{actionGroupsSvgURL}} 404 (Not Found)
GET{{tenantsSvgURL}} 404 (Not Found)
GET{{internalUserDatabaseSvgURL}} 404 (Not Found)
GET{{rolesSvgURL}} 404 (Not Found)
GET{{roleMappingsSvgURL}} 404 (Not Found)
GET{{purgeCacheSvgURL}} 404 (Not Found)
GET{{authenticationSvgURL}} 404 (Not Found)

All these issues with trying to configure ES using the Kibana configuration page makes OD 1.2.1 release unusable.
My kibana.yml is as follows

server.port: 5601 "" ""
elasticsearch.hosts: [""]
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
elasticsearch.ssl.certificate: /etc/kibana/ssl/
elasticsearch.ssl.key: /etc/kibana/ssl/
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/ssl/" ]
elasticsearch.ssl.verificationMode: full
opendistro_security.allow_client_certificates: true
opendistro_security.multitenancy.enabled: false
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/ssl/
server.ssl.key: /etc/kibana/ssl/
logging.dest: /var/log/kibana.log
csp.strict: true

I’m not sure if the issue is faulty browser detection, but I am using the latest Firefox and Chrome browsers, so not sure why its blocking me from using the configuration page with Content Security Policy errors.


  • I am logged in as the default administrator account admin / admin, so I should have privileges to see the configuration page
  • I have the configuration opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”] in elasticsearch.yml on all my cluster nodes so I should be using the right user roles.

Any Help with workarounds would be much appreciated

Hey Imit,

Apologize for the trouble here. We will look into this and provide a response by tomorrow morning.


Thank you for responding

CONFIDENTIALITY STATEMENT: This communication (and any and all information or material transmitted with this communication) is confidential, may be privileged and is intended only for the use of the intended recipient. If you are not the intended recipient,
any review, retransmission, circulation, distribution, reproduction, conversion to hard copy, copying or other use of this communication, information or material is strictly prohibited. If you received this communication in error or if it is forwarded to you
without the express authorization of Valor, please notify us immediately by telephone or by return email and permanently delete the communication, information and material from any computer, disk drive, diskette or other storage device or media. Thank you.

Was there a resolution to this?