Setting up SSL with OpenID


So, for a few days now I’ve been trying to set up my opendistro stack with SSL and I cannot figure it out.
My setup is still in development, so up until now, I was using the stack on HTTP and everything worked fine, from ElasticSearch to Logstash with Kibana SSO from my Identity Server.

Now, I need to move the whole stack to HTTPS, because my identity server is now on HTTPS and all my other client are too. After playing around for a few days, I decided to go barebones and try to make the ElasticSearch-Kibana connection work on HTTPS with basicauth. It does work.

From the same config, I added back my openid paramters inside the kibana.yml, and added the required settings in the security config files. Here are the important parts of the config files:

Security config.yml:

            http_enabled: true
            transport_enabled: true
            order: 0
              type: openid
              challenge: false
                enable_ssl: true
                verify_hostnames: false
                pemtrustedcas_filepath: /usr/share/elasticsearch/config/identity_ca.pem
                openid_connect_url: https://myworkingdomain/.well-known/openid-configuration
                subject_key: username
                roles_key: roles
                type: noop

kibana.yml: kibana "0"
    server.cors : true
    server.customResponseHeaders : { "Access-Control-Allow-Credentials" : "true" }
    server.ssl.enabled: true
    server.ssl.certificate: /usr/share/kibana/config/backend_crt.pem
    server.ssl.key: /usr/share/kibana/config/backend_key.pem

    elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/config/backend_crt.pem"]

    elasticsearch.ssl.verificationMode: certificate
    elasticsearch.username: username
    elasticsearch.password: password
    elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization", "jwtToken", "x-forwarded-for", "x-forwarded-by", "access-control-allow-credentials"]

    opendistro_security.multitenancy.enabled: false
    opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
    opendistro_security.readonly_mode.roles: ["kibana_read_only"]

    opendistro_security.auth.type: "openid"
    opendistro_security.openid.connect_url: "https://myworkingdomain/.well-known/openid-configuration"
    opendistro_security.openid.client_id: "kibanaclient"
    opendistro_security.openid.client_secret: "secret"
    opendistro_security.openid.scope: "openid profile email phone address"
    opendistro_security.openid.base_redirect_url: "http://mykibanaredirecturl:5601"
    opendistro_security.openid.root_ca: "/usr/share/kibana/config/identity_ca.pem"

Part of elasticsearch.yml:

    opendistro_security.ssl.transport.pemcert_filepath: backend_crt.pem
    opendistro_security.ssl.transport.pemkey_filepath: backend_key.pem
    opendistro_security.ssl.transport.pemtrustedcas_filepath: backend_crt.pem
    opendistro_security.ssl.transport.enforce_hostname_verification: false
    opendistro_security.ssl.http.enabled: true
    opendistro_security.ssl.http.pemcert_filepath: backend_crt.pem
    opendistro_security.ssl.http.pemkey_filepath: backend_key.pem
    opendistro_security.ssl.http.pemtrustedcas_filepath: backend_crt.pem

As you can see, I used backend_crt and backend_key for both Elastic and Kibana, but it worked in basicauth. So, I added the identity_ca.pem to give it in parameter in both the security config.yml and kibana.yml as root_ca, but this is not working. The security plugin cannot initialized, but there are no details (even with logging verbose).

"tags":["status","plugin:opendistro_security@","error"],"pid":1,"state":"red","message":"Status changed from yellow to red - An error occurred during initialisation, please check the logs."

Do anyone have any clue on what might be wrong in my config? Thanks

Additionnal information:
I am able to curl my identity server when passing the cacert of it (example:
curl https://myworkingdomain/.well-known/openid-configuration --cacert identity_ca.pem)
This returns the desired content from the endpoint.

My working OPENID configuration ,part of config.yml

    description: "SSO with DEX"
    http_enabled: true
    transport_enabled: true
    order: 2
      type: openid
      challenge: false
        subject_key: preferred_username
        roles_key: groups
        openid_connect_url: "https://dex.query.platform-lab.svc/.well-known/openid-configuration"
        openid_connect_idp.enable_ssl: true
        openid_connect_idp.verify_hostnames: false
        openid_connect_idp.pemtrustedcas_filepath: "/etc/elasticsearch/pki/ca_chain.pem"
      type: noop

kibana.yaml , and elasticsearch.yaml looks similar to yours

This worked for me too.

For anyone reading this months later, all of the GitHub issues were moved and the link is dead.
The issue linked above by Pablo is now here: