I’m having some issues getting TLS/SSL working with both Kibana and Elasticsearch. I have 1 Elastic node.
Please ignore the space between https:// and localhost in the kibana config, it would not let me post more than two urls as I am a new user.
As of right now I can access Kibana using my external cert with no issues using this configuration:
server.port: 5601
server.host: “0.0.0.0”
elasticsearch.hosts: [“https:// localhost:9200”]
elasticsearch.ssl.verificationMode: certificate
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: [“securitytenant”,“Authorization”]
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: [“Private”, “Global”]
opendistro_security.readonly_mode.roles: [“kibana_read_only”]
server.ssl.enabled: true
server.ssl.key: /etc/kibana/myprivkay.pem
server.ssl.certificate: /etc/kibana/mypubliccert.pem
As for Elasticsearch, here is my configuration file that is not working along with the error kibana is giving me when trying to connect to Elasticsearch. Elasticsearch service is also running just fine:
Oct 24 21:02:34 ip-172-31-82-103 kibana[20238]: {“type”:“log”,“@timestamp”:“2019-10-24T21:02:34Z”,“tags”:[“warning”,“elasticsearch”,“admin”],“pid”:20238,“message”:"Unable to revive connection: https://localhost
When using the default certs I can access elasticsearch using my companyname.com:5200 but when using my external certs it does not load.
Oct 24 21:02:34 ip-172-31-82-103 kibana[20238]: {“type”:“log”,“@timestamp”:“2019-10-24T21:02:34Z”,“tags”:[“warning”,“elasticsearch”,“admin”],“pid”:20238,“message”:“No living connections”}
Oct 24 21:02:35 ip-172-31-82-103 performance-analyzer-agent-cli[21837]: 21:02:35.525 [Thread-1] ERROR com.amazon.opendistro.elasticsearch.performanceanalyzer.reader.ClusterLevelMetricsReader - Skip parsing. Num
node.name: OpenDistro
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
#transport.port: 9300
cluster.name: OpenDistro
minimum_master_nodes need to be explicitly set when bound on a public IP
set to 1 to allow single node clusters
discovery.zen.minimum_master_nodes: 1
cluster.initial_master_nodes: [ “OpenDistro” ]
######## Start OpenDistro for Elasticsearch Security Demo Configuration ########
WARNING: revise all the lines below before you go into production
opendistro_security.allow_default_init_securityindex: true
opendistro_security.ssl.transport.pemcert_filepath: mypubliccert.pem
opendistro_security.ssl.transport.pemkey_filepath: myprivkay.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: myroot-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: mypubliccert.pem
opendistro_security.ssl.http.pemkey_filepath: myprivkay.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: myroot-ca.pem
#opendistro_security.allow_unsafe_democertificates: true
opendistro_security.authcz.admin_dn:
- CN=*.domain.com,OU=ssl,O=Company,L=NA, C=NA
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3
Does anybody have any recommendations?