Setting up SSL with OpenID

Hi,

So, for a few days now I’ve been trying to set up my opendistro stack with SSL and I cannot figure it out.
My setup is still in development, so up until now, I was using the stack on HTTP and everything worked fine, from ElasticSearch to Logstash with Kibana SSO from my Identity Server.

Now, I need to move the whole stack to HTTPS, because my identity server is now on HTTPS and all my other client are too. After playing around for a few days, I decided to go barebones and try to make the ElasticSearch-Kibana connection work on HTTPS with basicauth. It does work.

From the same config, I added back my openid paramters inside the kibana.yml, and added the required settings in the security config files. Here are the important parts of the config files:

Security config.yml:

    openid_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 0
            http_authenticator:
              type: openid
              challenge: false
              config:
                enable_ssl: true
                verify_hostnames: false
                pemtrustedcas_filepath: /usr/share/elasticsearch/config/identity_ca.pem
                openid_connect_url: https://myworkingdomain/.well-known/openid-configuration
                subject_key: username
                roles_key: roles
            authentication_backend:
                type: noop

kibana.yml:

    server.name: kibana
    server.host: "0"
    server.cors : true
    server.customResponseHeaders : { "Access-Control-Allow-Credentials" : "true" }
    server.ssl.enabled: true
    server.ssl.certificate: /usr/share/kibana/config/backend_crt.pem
    server.ssl.key: /usr/share/kibana/config/backend_key.pem

    elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/config/backend_crt.pem"]

    elasticsearch.ssl.verificationMode: certificate
    elasticsearch.username: username
    elasticsearch.password: password
    elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization", "jwtToken", "x-forwarded-for", "x-forwarded-by", "access-control-allow-credentials"]

    opendistro_security.multitenancy.enabled: false
    opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
    opendistro_security.readonly_mode.roles: ["kibana_read_only"]

    opendistro_security.auth.type: "openid"
    opendistro_security.openid.connect_url: "https://myworkingdomain/.well-known/openid-configuration"
    opendistro_security.openid.client_id: "kibanaclient"
    opendistro_security.openid.client_secret: "secret"
    opendistro_security.openid.scope: "openid profile email phone address"
    opendistro_security.openid.base_redirect_url: "http://mykibanaredirecturl:5601"
    opendistro_security.openid.root_ca: "/usr/share/kibana/config/identity_ca.pem"

Part of elasticsearch.yml:

    opendistro_security.ssl.transport.pemcert_filepath: backend_crt.pem
    opendistro_security.ssl.transport.pemkey_filepath: backend_key.pem
    opendistro_security.ssl.transport.pemtrustedcas_filepath: backend_crt.pem
    opendistro_security.ssl.transport.enforce_hostname_verification: false
    opendistro_security.ssl.http.enabled: true
    opendistro_security.ssl.http.pemcert_filepath: backend_crt.pem
    opendistro_security.ssl.http.pemkey_filepath: backend_key.pem
    opendistro_security.ssl.http.pemtrustedcas_filepath: backend_crt.pem

As you can see, I used backend_crt and backend_key for both Elastic and Kibana, but it worked in basicauth. So, I added the identity_ca.pem to give it in parameter in both the security config.yml and kibana.yml as root_ca, but this is not working. The security plugin cannot initialized, but there are no details (even with logging verbose).

"tags":["status","plugin:opendistro_security@1.8.0.0","error"],"pid":1,"state":"red","message":"Status changed from yellow to red - An error occurred during initialisation, please check the logs."

Do anyone have any clue on what might be wrong in my config? Thanks

Additionnal information:
I am able to curl my identity server when passing the cacert of it (example:
curl https://myworkingdomain/.well-known/openid-configuration --cacert identity_ca.pem)
This returns the desired content from the endpoint.

My working OPENID configuration ,part of config.yml

  openid_auth_domain:
    description: "SSO with DEX"
    http_enabled: true
    transport_enabled: true
    order: 2
    http_authenticator:
      type: openid
      challenge: false
      config:
        subject_key: preferred_username
        roles_key: groups
        openid_connect_url: "https://dex.query.platform-lab.svc/.well-known/openid-configuration"
        openid_connect_idp.enable_ssl: true
        openid_connect_idp.verify_hostnames: false
        openid_connect_idp.pemtrustedcas_filepath: "/etc/elasticsearch/pki/ca_chain.pem"
    authentication_backend:
      type: noop

kibana.yaml , and elasticsearch.yaml looks similar to yours

This worked for me too.

https://github.com/opendistro-for-elasticsearch/security/issues/419

For anyone reading this months later, all of the GitHub issues were moved and the link is dead.
The issue linked above by Pablo is now here:

https://github.com/opensearch-project/documentation-website/issues/96