I can't get Elastic and Kibana to work with real certificates from either Let's encrypt or Comodo.
I've thought about it a thousand times, but no matter how much I read and reread, I can't find the error of something as simple as installing certificate chains. At first I thought it was a Let's Encrypt issue but this afternoon I bought some certificates issued by Comodo and nothing, the same.
/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
17:21:59.701 [main] WARN org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [91.121.226.53]; the server provided a certificate with subject name [CN=elk2.mydomain.ovh], fingerprint [f611c9e9ce2462ed1f3c7e29035f2db2347e39df], keyUsage [digitalSignature, keyEncipherment] and extendedKeyUsage [serverAuth, clientAuth]; the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate has subject alternative names [DNS:elk2.mydomain.ovh,DNS:www.elk2.mydomain.ovh]; the certificate is issued by [CN=Don Dominio / MrDomain RSA DV CA,O=Soluciones Corporativas IP\, SL,L=Manacor,ST=Illes Balears,C=ES] but the server did not provide a copy of the issuing certificate in the certificate chain; the issuing certificate with fingerprint [ce1710a80bd0dfb6ed688c37c8fc066268bd814b] is trusted in this ssl context ([xpack.security.http.ssl (with trust configuration: PEM-trust{/etc/elasticsearch/certs/elk2.mydomain.ovh.ca.crt})])
/etc/kibana/kibana.yml
server.host: "91.121.226.53"
server.publicBaseUrl: "https://elk2.mydomain.ovh:5601"
server.name: "elk2.mydomain.ovh"
server.ssl.enabled: true
server.ssl.certificate: certs/elk2.mydomain.ovh.crt
server.ssl.key: certs/elk2.mydomain.ovh.key
server.ssl.certificateAuthorities: ["certs/elk2.mydomain.ovh.ca.crt"]
elasticsearch.hosts: ["https://elk2.mydomain.ovh:9200"]
elasticsearch.ssl.certificate: certs/elk2.mydomain.ovh.crt
elasticsearch.ssl.key: certs/elk2.mydomain.ovh.key
elasticsearch.ssl.certificateAuthorities: [ "certs/elk2.mydomain.ovh.ca.crt" ]
elasticsearch.ssl.verificationMode: none
logging:
appenders:
file:
type: file
fileName: /var/log/kibana/kibana.log
layout:
type: json
root:
appenders:
- default
- file
pid.file: /run/kibana/kibana.pid
Elasticsearch
root#elk2:/etc/ssl# grep -Ev '^#|^$' /etc/elasticsearch/elasticsearch.yml
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
key: certs/elk2.mydomain.ovh.key
certificate: certs/elk2.mydomain.ovh.crt
certificate_authorities: ["certs/elk2.mydomain.ovh.ca.crt"]
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
key: certs/elk2.mydomain.ovh.key
certificate: certs/elk2.mydomain.ovh.crt
certificate_authorities: ["certs/elk2.mydomain.ovh.ca.crt"]
cluster.initial_master_nodes: ["elk2.mydomain.ovh"]
http.host: 0.0.0.0
Of course I have verified the files found in both the elasticsearch and kibana certs, just as I do with any software installation that requires certificates, including authority or CA
Way with LetsEncript
elasticsearch.yml
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
key: certs/privkey.pem
certificate: certs/fullchain.pem
certificate_authorities: [
"certs/chain.pem",
"certs/cacert.r3.pem"
]
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
key: certs/privkey.pem
certificate: certs/fullchain.pem
certificate_authorities: [
"certs/chain.pem",
"certs/cacert.r3.pem" ### Try also with pem root ISRG Root X1 cacert.x1.pem
]
cluster.initial_master_nodes: ["elk2.mydomain.ovh"]
http.host: 0.0.0.0
kibana.yml
server.host: "91.121.226.53"
server.publicBaseUrl: "https://elk2.mydomain.ovh:5601"
server.name: "elk2.mydomain.ovh"
server.ssl.enabled: true
server.ssl.certificate: certs/fullchain.pem
server.ssl.key: certs/key.pem
server.ssl.certificateAuthorities: [
"certs/chain.pem",
"certs/cacert.r3.pem"
]
elasticsearch.hosts: ["https://elk2.mydomain.ovh:9200"]
elasticsearch.ssl.certificate: certs/fullchain.pem
elasticsearch.ssl.key: certs/fullchain.key
elasticsearch.ssl.certificateAuthorities: [
"certs/chain.pem",
"certs/cacert.r3.pem"
]]
logging:
appenders:
file:
type: file
fileName: /var/log/kibana/kibana.log
layout:
type: json
root:
appenders:
- default
- file
pid.file: /run/kibana/kibana.pid
Error
/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
18:28:33.799 [main] WARN org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [91.121.226.53]; the server provided a certificate with subject name [CN=elk2.endesarrollo.ovh], fingerprint [d3432f5a03043e533bd1a7a1aeabce8964bd1ac2], keyUsage [digitalSignature, keyEncipherment] and extendedKeyUsage [serverAuth, clientAuth]; the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate has subject alternative names [DNS:elk2.endesarrollo.ovh]; the certificate is issued by [CN=R3,O=Let's Encrypt,C=US]; the certificate is signed by (subject [CN=R3,O=Let's Encrypt,C=US] fingerprint [a053375bfe84e8b748782c7cee15827a6af5a405] {trusted issuer}) signed by (subject [CN=ISRG Root X1,O=Internet Security Research Group,C=US] fingerprint [933c6ddee95c9c41a40f9f50493d82be03ad87bf] {trusted issuer}) which is issued by [CN=DST Root CA X3,O=Digital Signature Trust Co.] (but that issuer certificate was not provided in the chain); this ssl context ([xpack.security.http.ssl (with trust configuration: PEM-trust{/etc/elasticsearch/certs/chain.pem,/etc/elasticsearch/certs/cacert.r3.pem})]) is not configured to trust that issuer but trusts [2] other issuers ([CN=ISRG Root X1,O=Internet Security Research Group,C=US, CN=R3,O=Let's Encrypt,C=US])
java.security.cert.CertificateException: No subject alternative names matching IP address 91.121.226.53 found
```
Apreciate help.
Related
i have add elasticsearch & kibana yml files and few screenshots.for login kibana dashboard it take properly but kibana dashboard not appear it will redirect again back page.
video link - enter link description here
screenshot --> keycloak client configurations
elasticsearch.yml
# --------------------------------------------------------------------------------
# Enable security features
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
enabled: true
keystore.path: certs/http.p12
# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
cluster.initial_master_nodes: ["surangas-MacBook-Air.local"]
# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0
# Allow other nodes to join the cluster from anywhere
# Connections are encrypted and mutually authenticated
#transport.host: 0.0.0.0
#----------------------- END SECURITY AUTO CONFIGURATION -------------------------
xpack.security.authc.realms.oidc.oidc1:
order: 0
rp.client_id: "kibana"
rp.response_type: code
rp.redirect_uri: "http://localhost:5601/app/home#/"
op.issuer: "http://localhost:8080/realms/oidc1"
op.authorization_endpoint: "http://localhost:8080/realms/oidc1/protocol/openid-connect/auth"
op.token_endpoint: "http://localhost:8080/realms/oidc1/protocol/openid-connect/token"
op.jwkset_path: "https://localhost:8080/realms/oidc1/protocol/openid-connect/certs"
op.userinfo_endpoint: "http://localhost:8080/realms/oidc1/protocol/openid-connect/userinfo"
op.endsession_endpoint: "http://localhost:8080/realms/oidc1/protocol/openid-connect/logout"
rp.post_logout_redirect_uri: "http://localhost:5601/security/logged_out"
claims.principal: email
claims.groups: "http://localhost:8080/claims/groups"
kibana.yml
this my kibana.yml file. here i have configure keycloak login page configurations
# =================== Search Autocomplete ===================
xpack.security.session.idleTimeout: "30m"
xpack.security.session.cleanupInterval: "1d"
xpack.security.authc.providers:
oidc.oidc1:
order: 0
realm: "oidc1"
description: "Keycloak"
basic.basic:
order: 1
# This section was automatically generated during setup.
elasticsearch.hosts: ['https://192.168.8.184:9200']
elasticsearch.serviceAccountToken: AAEAAWVsYXN0aWMva2liYW5hL2Vucm9sbC1wcm9jZXNzLXRva2VuLTE2NTUwMDc0NDM1MDY6YXRIcmpaVnRRclMwSHM4NmVJcWpVZw
elasticsearch.ssl.certificateAuthorities: [/Users/suranga/Desktop/Monitoring/test/keycloak/kibana-8.2.0/data/ca_1655007444485.crt]
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: ['https://192.168.8.184:9200'], ca_trusted_fingerprint: 82d6e3b36b6132052fb895809a97588fb366edf7f3dfba981e724194d2d19af3}]
I am trying to setup a securized ELK stack with redis as a buffer :
filebeat -> redis -> logstash -> elastic
I installed redis with TLS configuration, filebeat can communicate with redis over TLS without any issue.
But i don't understand how to configure logstash. There is a boolean option ssl, but where can i provide the redis certificate ?
filebeat.yml
output.redis:
hosts: ["redishost:6379"]
password: "password"
key: "filebeat"
db: 0
timeout: 5
ssl:
enabled: true
certificate_authorities: ["/etc/filebeat/cert/ca.crt"]
insecure: true
supported_protocols: [TLSv1.2]
verification_mode: none
redis.conf in logstash
redis {
host => "redishost"
password => "password"
db => 0
key => "filebeat"
data_type => "list"
ssl => true
}
Thanks in advance
You cannot configure logstash to trust the redis certificate, or the authority that signed it. The certificate has to be trusted by the JRE or JDK that runs logstash.
I have trouble using SSL keystore or truststore to connect to Elasticsearch client using DBeaver. This is an elastic stack on k8s installation on my local machine. I followed this official tutorial to set up a connection using DBeaver, but I have trouble figuring out how to make cert validation work.
I logged into the elasticsearch pod, downloaded the cert and key at /usr/share/elasticsearch/config/http-certs/tls.crt and /usr/share/elasticsearch/config/http-certs/tls.key. I combined them into a p12 format using this command:
openssl pkcs12 -export -in combined.pem -out cert.p12
elasticsearch.config:
http:
ssl:
certificate: /usr/share/elasticsearch/config/http-certs/tls.crt
certificate_authorities: /usr/share/elasticsearch/config/http-certs/ca.crt
enabled: true
key: /usr/share/elasticsearch/config/http-certs/tls.key
transport:
ssl:
certificate: /usr/share/elasticsearch/config/node-transport-cert/transport.tls.crt
certificate_authorities:
- /usr/share/elasticsearch/config/transport-certs/ca.crt
- /usr/share/elasticsearch/config/transport-remote-certs/ca.crt
enabled: "true"
key: /usr/share/elasticsearch/config/node-transport-cert/transport.tls.key
verification_mode: certificate
However, I'm getting this invalid cert error:
These are the driver parameters:
What certs do I need in order to pass the cert check? I wish there was an insecure flag to ignore the validation since it runs in localhost.
I am trying to enable xpack in elasticsearch and followed the getting started blog post from elasticsearch site.
Things I did:
I ran this command $/usr/share/elasticsearch/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass "" and entered /etc/elasticsearch/elastic-certificates.p12 when asked for desired output file.
Edited the elasticsearch.yml config file located at /etc/elasticsearch/elasticsearch.yml and entered following lines:
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elastic-certificates.p12
Logs/ Exceptions from /var/log/elasticsearch/elasticsearch.log
2021-06-10T02:58:12,542][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [node-1] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested:
ElasticsearchException[failed to create trust manager]; nested: ElasticsearchException[failed to initialize SSL TrustManager - keystore file [/etc/el
asticsearch/elastic-certificates.p12] does not exist]; nested: AccessDeniedException[/etc/elasticsearch/elastic-certificates.p12];
Caused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]
Caused by: java.nio.file.AccessDeniedException: /etc/elasticsearch/elastic-certificates.p12
Caused by: java.nio.file.AccessDeniedException: /etc/elasticsearch/elastic-certificates.p12
Caused by: java.nio.file.AccessDeniedException: /etc/elasticsearch/elastic-certificates.p12
The permissions for my .p12 cert file is rw-------
What am i missing here?
I followed the documentation line by line
Your path in elasticsearch.yml is wrong.
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elastic-certificates.p12
If you placed the certificate in /etc/elasticsearch folder, then correct it.
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
Also make sure that owner of the cert is root:elasticsearch
sudo chown root:elasticsearch /etc/elasticsearch/elastic-c*
I got this exact same error because I had some leftover files and yes lines in the elasticsearch.yml file for security that were leftover from a previous run.
To rerun Elasticsearch (this worked for Elasticsearch for Windows 10, version 8.4.1) and eliminate this issue, go to the main Elasticsearch folder where it was installed then:
Delete the data and certs folders.
Delete the elasticsearch.keystore file.
Edit the elasticsearch.yml file by removing the generated lines and just leave the comments (default).
I also delete all the log files under the logs folder to clean things up.
Rerun the startup command for elasticsearch from a command prompt window: .\bin\elasticsearch.bat
I'm trying to integrate SSO with Kibana and SAML. I'm using Auth0.
Following are my settings in yml files
kibana.yml
elasticsearch.hosts: ["https://localhost:9200"]
xpack.security.enabled: true
elasticsearch.ssl.certificate: D:/Piyusha/Extracted/kibana-7.4.1-windows-x86_64/config/certs/client.cer
elasticsearch.ssl.key: D:/Piyusha/Extracted/kibana-7.4.1-windows-x86_64/config/certs/client.key
elasticsearch.ssl.certificateAuthorities: D:/Piyusha/Extracted/kibana-7.4.1-windows-x86_64/config/certs/client-ca.cer
elasticsearch.ssl.verificationMode: certificate
xpack.security.authc.providers: [saml]
xpack.security.authc.saml.realm: saml1
server.xsrf.whitelist: [/api/security/v1/saml]
elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.client_authentication: optional
xpack.security.authc.realms.pki.pki1.order: 0
xpack.security.authc.token.enabled: true
xpack.security.authc.realms.saml.saml1:
order: 2
idp.metadata.path: saml/dev-zl4z3q20_auth0_com-metadata.xml
sp.entity_id: "http://localhost:5601"
idp.entity_id: "urn:dev-zl4z3q20.auth0.com"
sp.acs: "http://localhost:5601/api/security/v1/saml"
sp.logout: "http://localhost:5601/logout"
attributes.principal: "urn:oid:0.9.2342.19200300.100.1.1"
attributes.groups: "urn:oid:1.3.6.1.4.1.5923.1.5.1."
Before adding saml settings, everything worked perfect like authentication, etc. But after adding saml configurations, kibana url redirects to error page
https://dev-zl4z3q20.auth0.com/samlp/brGsd0sUh18u1oremCeu58L4FxrExgxf?SAMLRequest=fVJbb9sgGP0riHfb4FtSFKfKkmWLlHVR4%2FRhLxPGuEHC4PLhLO2vn3Pp1ElVXuHcOIfJ%2FbHV6CAdKGsKTEOCkTTC1so8F3hXLoMxvp9OgLc67tis93vzKF96CR4NRAPsclPg3hlmOShghrcSmBdsO%2FuxZnFIWOest8JqjGYA0vnBam4N9K10W%2BkOSsjd47rAe%2B87FkXaCq73FjzLckIj3qkIpOid8q%2FRgUYnQ4wWQwJluD%2BnPhFhYNbyELzp9C15iUnIh6wkFLY9M7qoct%2BgJrDb03FPrZPtXPbZeJ0uj%2B7r8fnYYLRaFPh3mjUiz0iV8CRPBaWjOq5jwZPxuBqleU6qu0aMuEgHOEAvVwY8N77AMaF3ASVBQksaszhlWRzmGf2F0eb6%2Bi%2FKXFq9VVV1AQH7XpabYPNzW2L09L7OAMDXLdjZ3X0c4bYwf28eTz%2FteRJ91P23%2BMMgtFpsrFbiFc20tn%2FmTnIvC9xwDRKjpXUt97e9TyeqDpozlHnHDShpPI6mV9f%2Ff9b0Lw%3D%3D
and gives following error
invalid_request: The SAML Request AssertionConsumerServiceURL is invalid: 'http://localhost:5601/api/security/v1/saml'
TRACKING ID: c682d69fc2f95872f203
The error indicates that the ACS URL being sent in the SAML Request does not match what is configured in Auth0.
Verify that in the Auth0 application's SAML addon settings you have set http://localhost:5601/api/security/v1/saml as the ACS URL.