TLS/SSL for Kibana and Elasticsearch using external cert

Security
1

I’m having some issues getting TLS/SSL working with both Kibana and Elasticsearch. I have 1 Elastic node.

Please ignore the space between https:// and localhost in the kibana config, it would not let me post more than two urls as I am a new user.

As of right now I can access Kibana using my external cert with no issues using this configuration:

server.port: 5601

server.host: “0.0.0.0”

elasticsearch.hosts: [“https:// localhost:9200”]

elasticsearch.ssl.verificationMode: certificate

elasticsearch.username: kibanaserver

elasticsearch.password: kibanaserver

elasticsearch.requestHeadersWhitelist: [“securitytenant”,“Authorization”]

opendistro_security.multitenancy.enabled: true

opendistro_security.multitenancy.tenants.preferred: [“Private”, “Global”]

opendistro_security.readonly_mode.roles: [“kibana_read_only”]

server.ssl.enabled: true

server.ssl.key: /etc/kibana/myprivkay.pem

server.ssl.certificate: /etc/kibana/mypubliccert.pem

As for Elasticsearch, here is my configuration file that is not working along with the error kibana is giving me when trying to connect to Elasticsearch. Elasticsearch service is also running just fine:
Oct 24 21:02:34 ip-172-31-82-103 kibana[20238]: {“type”:“log”,“@timestamp”:“2019-10-24T21:02:34Z”,“tags”:[“warning”,“elasticsearch”,“admin”],“pid”:20238,“message”:"Unable to revive connection: https://localhost

When using the default certs I can access elasticsearch using my companyname.com:5200 but when using my external certs it does not load.

Oct 24 21:02:34 ip-172-31-82-103 kibana[20238]: {“type”:“log”,“@timestamp”:“2019-10-24T21:02:34Z”,“tags”:[“warning”,“elasticsearch”,“admin”],“pid”:20238,“message”:“No living connections”}

Oct 24 21:02:35 ip-172-31-82-103 performance-analyzer-agent-cli[21837]: 21:02:35.525 [Thread-1] ERROR com.amazon.opendistro.elasticsearch.performanceanalyzer.reader.ClusterLevelMetricsReader - Skip parsing. Num

node.name: OpenDistro

path.data: /var/lib/elasticsearch

path.logs: /var/log/elasticsearch

network.host: 0.0.0.0

http.port: 9200

#transport.port: 9300

cluster.name: OpenDistro

minimum_master_nodes need to be explicitly set when bound on a public IP

set to 1 to allow single node clusters

discovery.zen.minimum_master_nodes: 1

cluster.initial_master_nodes: [ “OpenDistro” ]

######## Start OpenDistro for Elasticsearch Security Demo Configuration ########

WARNING: revise all the lines below before you go into production

opendistro_security.allow_default_init_securityindex: true

opendistro_security.ssl.transport.pemcert_filepath: mypubliccert.pem

opendistro_security.ssl.transport.pemkey_filepath: myprivkay.pem

opendistro_security.ssl.transport.pemtrustedcas_filepath: myroot-ca.pem

opendistro_security.ssl.transport.enforce_hostname_verification: false

opendistro_security.ssl.http.enabled: true

opendistro_security.ssl.http.pemcert_filepath: mypubliccert.pem

opendistro_security.ssl.http.pemkey_filepath: myprivkay.pem

opendistro_security.ssl.http.pemtrustedcas_filepath: myroot-ca.pem

#opendistro_security.allow_unsafe_democertificates: true

opendistro_security.authcz.admin_dn:

  • CN=*.domain.com,OU=ssl,O=Company,L=NA, C=NA

opendistro_security.audit.type: internal_elasticsearch

opendistro_security.enable_snapshot_restore_privilege: true

opendistro_security.check_snapshot_restore_write_privileges: true

opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]

cluster.routing.allocation.disk.threshold_enabled: false

node.max_local_storage_nodes: 3

Does anybody have any recommendations?