Problems with ssl/tls config?

I’ve been utilizing the rpm’s under centos 7 as well for open distro elasticsearch and kibana and have attempted to replace the certificates for the “reverse proxy” part to wildcard domain certs. I’ve left the default demo certificates in place in /etc/elasticsearch. I’ve also tried replacing localhost with the fqdn under elasticsearch.url in kibana.yml to come up the same basic error.

I’ve tried stipulating in kibana.yml:

server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/mywildcardcert.pem
server.ssl.key: /etc/kibana/mywildcardcert.key

(the rest of the default kibana.yml items that are default are below)

Everything restarts normally – I can even pass curl commands as in the installation docs to 9200 normally and get a response.

I’ve now checked perms and and tried modifying certificate formats… and end up with this in the logs:

Apr 8 14:51:24 blah kibana: {“type”:“log”,“@timestamp”:“2019-04-08T12:51:24Z”,“tags”:[“status”,“plugin:console@6.6.2”,“info”],“pid”:8777,“state”:“green”,“message”:“Status changed from uninitialized to green - Ready”,“prevState”:“uninitialized”,“prevMsg”:“uninitialized”}
Apr 8 14:51:24 blah kibana: {“type”:“log”,“@timestamp”:“2019-04-08T12:51:24Z”,“tags”:[“error”,“elasticsearch”,“admin”],“pid”:8777,“message”:“Request error, retrying\nHEAD https://localhost:9200/ => connect ECONNREFUSED 127.0.0.1:9200”}
Apr 8 14:51:24 blah kibana: {“type”:“log”,“@timestamp”:“2019-04-08T12:51:24Z”,“tags”:[“warning”,“elasticsearch”,“admin”],“pid”:8777,“message”:“Unable to revive connection: https://localhost:9200/”}
Apr 8 14:51:24 blah kibana: {“type”:“log”,“@timestamp”:“2019-04-08T12:51:24Z”,“tags”:[“warning”,“elasticsearch”,“admin”],“pid”:8777,“message”:“No living connections”}

Help?

I’m had this same issue with the docker version. I was using a local CA and needed to add ```
elasticsearch.ssl.certificateAuthorities: [ “/path/to/your/CA.pem” ]

Sadly, that didn’t seem to work for me Here’s what my config looks like vaguely, with the relevant names obfuscated:

server.host: “something.mydomain.com”
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/validmydomain.crt
server.ssl.key: /etc/kibana/validmydomain.key

elasticsearch.url: https://localhost:9200
elasticsearch.ssl.verificationMode: none
elasticsearch.ssl.certificate: /etc/kibana/selfsignednodecert.pem
elasticsearch.ssl.key: /etc/kibana/selfsignednodekey.key
elasticsearch.ssl.certificateAuthorities: [“/etc/kibana/selfsignednoderootca.pem”]
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: [“securitytenant”,“Authorization”]

opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: [“Private”, “Global”]
opendistro_security.readonly_mode.roles: [“kibana_read_only”]
opendistro_security.allow_client_certificates: true

Still responding to curl commands…

You might try using the actual hostname instead of localhost or make sure the certificate has a SAN for localgost I have to use actual hostname with the docker container, so can’t use localhost.

I did try using the actual fqdn and the ip (with an entry in /etc/hosts, and a AltSubject of the IP in the self signed cert) as well as 0.0.0.0. I’ve also regenerated the self signed certs more than once just in case…

Hi @starrynight, Did you find any solution for the same? I am also stuck with the same error.

Nope, no solution to the issue.

Hi @starrynight, Try changing the value of elasticsearch.ssl.verificationMode to certificate or none in kibana.yml file . It worked for me.
elasticsearch.ssl.verificationMode: certificate

Hi @harish_hothi, I have added that and It is still not working for me. I have just one question, What certificate we are passing in server.ssl.certificate and what in elasticsearch.ssl.certificate, are this two is different?

@harsh
From your kibana machine what is the output when you do curl -vvv https://:9200

Hi @sreekanth, Thanks for reply.
I have tried that curl request you mentioned and got the error. It was issue with my certificate. it is resolved now.

Thanks.