Develop Reference

Elasticsearch and Kibana 8.4 issues with certificates: Comodo or Let's Encrypt

I can't get Elastic and Kibana to work with real certificates from either Let's encrypt or Comodo.
I've thought about it a thousand times, but no matter how much I read and reread, I can't find the error of something as simple as installing certificate chains. At first I thought it was a Let's Encrypt issue but this afternoon I bought some certificates issued by Comodo and nothing, the same.
/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
17:21:59.701 [main] WARN org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [91.121.226.53]; the server provided a certificate with subject name [CN=elk2.mydomain.ovh], fingerprint [f611c9e9ce2462ed1f3c7e29035f2db2347e39df], keyUsage [digitalSignature, keyEncipherment] and extendedKeyUsage [serverAuth, clientAuth]; the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate has subject alternative names [DNS:elk2.mydomain.ovh,DNS:www.elk2.mydomain.ovh]; the certificate is issued by [CN=Don Dominio / MrDomain RSA DV CA,O=Soluciones Corporativas IP\, SL,L=Manacor,ST=Illes Balears,C=ES] but the server did not provide a copy of the issuing certificate in the certificate chain; the issuing certificate with fingerprint [ce1710a80bd0dfb6ed688c37c8fc066268bd814b] is trusted in this ssl context ([xpack.security.http.ssl (with trust configuration: PEM-trust{/etc/elasticsearch/certs/elk2.mydomain.ovh.ca.crt})])
/etc/kibana/kibana.yml
server.host: "91.121.226.53"
server.publicBaseUrl: "https://elk2.mydomain.ovh:5601"
server.name: "elk2.mydomain.ovh"
server.ssl.enabled: true
server.ssl.certificate: certs/elk2.mydomain.ovh.crt
server.ssl.key: certs/elk2.mydomain.ovh.key
server.ssl.certificateAuthorities: ["certs/elk2.mydomain.ovh.ca.crt"]
elasticsearch.hosts: ["https://elk2.mydomain.ovh:9200"]
elasticsearch.ssl.certificate: certs/elk2.mydomain.ovh.crt
elasticsearch.ssl.key: certs/elk2.mydomain.ovh.key
elasticsearch.ssl.certificateAuthorities: [ "certs/elk2.mydomain.ovh.ca.crt" ]
elasticsearch.ssl.verificationMode: none
logging:
appenders:
file:
type: file
fileName: /var/log/kibana/kibana.log
layout:
type: json
root:
appenders:
- default
- file
pid.file: /run/kibana/kibana.pid
Elasticsearch
root#elk2:/etc/ssl# grep -Ev '^#|^$' /etc/elasticsearch/elasticsearch.yml
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
key: certs/elk2.mydomain.ovh.key
certificate: certs/elk2.mydomain.ovh.crt
certificate_authorities: ["certs/elk2.mydomain.ovh.ca.crt"]
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
key: certs/elk2.mydomain.ovh.key
certificate: certs/elk2.mydomain.ovh.crt
certificate_authorities: ["certs/elk2.mydomain.ovh.ca.crt"]
cluster.initial_master_nodes: ["elk2.mydomain.ovh"]
http.host: 0.0.0.0
Of course I have verified the files found in both the elasticsearch and kibana certs, just as I do with any software installation that requires certificates, including authority or CA
Way with LetsEncript
elasticsearch.yml
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
key: certs/privkey.pem
certificate: certs/fullchain.pem
certificate_authorities: [
"certs/chain.pem",
"certs/cacert.r3.pem"
]
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
key: certs/privkey.pem
certificate: certs/fullchain.pem
certificate_authorities: [
"certs/chain.pem",
"certs/cacert.r3.pem" ### Try also with pem root ISRG Root X1 cacert.x1.pem
]
cluster.initial_master_nodes: ["elk2.mydomain.ovh"]
http.host: 0.0.0.0
kibana.yml
server.host: "91.121.226.53"
server.publicBaseUrl: "https://elk2.mydomain.ovh:5601"
server.name: "elk2.mydomain.ovh"
server.ssl.enabled: true
server.ssl.certificate: certs/fullchain.pem
server.ssl.key: certs/key.pem
server.ssl.certificateAuthorities: [
"certs/chain.pem",
"certs/cacert.r3.pem"
]
elasticsearch.hosts: ["https://elk2.mydomain.ovh:9200"]
elasticsearch.ssl.certificate: certs/fullchain.pem
elasticsearch.ssl.key: certs/fullchain.key
elasticsearch.ssl.certificateAuthorities: [
"certs/chain.pem",
"certs/cacert.r3.pem"
]]
logging:
appenders:
file:
type: file
fileName: /var/log/kibana/kibana.log
layout:
type: json
root:
appenders:
- default
- file
pid.file: /run/kibana/kibana.pid
Error
/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
18:28:33.799 [main] WARN org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [91.121.226.53]; the server provided a certificate with subject name [CN=elk2.endesarrollo.ovh], fingerprint [d3432f5a03043e533bd1a7a1aeabce8964bd1ac2], keyUsage [digitalSignature, keyEncipherment] and extendedKeyUsage [serverAuth, clientAuth]; the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate has subject alternative names [DNS:elk2.endesarrollo.ovh]; the certificate is issued by [CN=R3,O=Let's Encrypt,C=US]; the certificate is signed by (subject [CN=R3,O=Let's Encrypt,C=US] fingerprint [a053375bfe84e8b748782c7cee15827a6af5a405] {trusted issuer}) signed by (subject [CN=ISRG Root X1,O=Internet Security Research Group,C=US] fingerprint [933c6ddee95c9c41a40f9f50493d82be03ad87bf] {trusted issuer}) which is issued by [CN=DST Root CA X3,O=Digital Signature Trust Co.] (but that issuer certificate was not provided in the chain); this ssl context ([xpack.security.http.ssl (with trust configuration: PEM-trust{/etc/elasticsearch/certs/chain.pem,/etc/elasticsearch/certs/cacert.r3.pem})]) is not configured to trust that issuer but trusts [2] other issuers ([CN=ISRG Root X1,O=Internet Security Research Group,C=US, CN=R3,O=Let's Encrypt,C=US])
java.security.cert.CertificateException: No subject alternative names matching IP address 91.121.226.53 found
```
Apreciate help.

i setup keycloak authentication for elasticsearch.but login is not work properlly

i have add elasticsearch & kibana yml files and few screenshots.for login kibana dashboard it take properly but kibana dashboard not appear it will redirect again back page.
video link - enter link description here
screenshot --> keycloak client configurations
elasticsearch.yml
# --------------------------------------------------------------------------------
# Enable security features
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
enabled: true
keystore.path: certs/http.p12
# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
cluster.initial_master_nodes: ["surangas-MacBook-Air.local"]
# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0
# Allow other nodes to join the cluster from anywhere
# Connections are encrypted and mutually authenticated
#transport.host: 0.0.0.0
#----------------------- END SECURITY AUTO CONFIGURATION -------------------------
xpack.security.authc.realms.oidc.oidc1:
order: 0
rp.client_id: "kibana"
rp.response_type: code
rp.redirect_uri: "http://localhost:5601/app/home#/"
op.issuer: "http://localhost:8080/realms/oidc1"
op.authorization_endpoint: "http://localhost:8080/realms/oidc1/protocol/openid-connect/auth"
op.token_endpoint: "http://localhost:8080/realms/oidc1/protocol/openid-connect/token"
op.jwkset_path: "https://localhost:8080/realms/oidc1/protocol/openid-connect/certs"
op.userinfo_endpoint: "http://localhost:8080/realms/oidc1/protocol/openid-connect/userinfo"
op.endsession_endpoint: "http://localhost:8080/realms/oidc1/protocol/openid-connect/logout"
rp.post_logout_redirect_uri: "http://localhost:5601/security/logged_out"
claims.principal: email
claims.groups: "http://localhost:8080/claims/groups"
kibana.yml
this my kibana.yml file. here i have configure keycloak login page configurations
# =================== Search Autocomplete ===================
xpack.security.session.idleTimeout: "30m"
xpack.security.session.cleanupInterval: "1d"
xpack.security.authc.providers:
oidc.oidc1:
order: 0
realm: "oidc1"
description: "Keycloak"
basic.basic:
order: 1
# This section was automatically generated during setup.
elasticsearch.hosts: ['https://192.168.8.184:9200']
elasticsearch.serviceAccountToken: AAEAAWVsYXN0aWMva2liYW5hL2Vucm9sbC1wcm9jZXNzLXRva2VuLTE2NTUwMDc0NDM1MDY6YXRIcmpaVnRRclMwSHM4NmVJcWpVZw
elasticsearch.ssl.certificateAuthorities: [/Users/suranga/Desktop/Monitoring/test/keycloak/kibana-8.2.0/data/ca_1655007444485.crt]
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: ['https://192.168.8.184:9200'], ca_trusted_fingerprint: 82d6e3b36b6132052fb895809a97588fb366edf7f3dfba981e724194d2d19af3}]

Cannot set password for elastic user

I'm following this post, security session to set up a new password for elastic user. Running ./bin/elasticsearch-setup-passwords interactive gave:
Failed to determine the health of the cluster running at http://es-ip-1:9200
Unexpected response code [503] from calling GET http://es-ip-1:9200/_cluster/health?pretty
Cause: master_not_discovered_exception
Unexpected response code [503] from calling PUT http://es-ip-1:9200/_security/user/apm_system/_password?pretty
Cause: Cluster state has not been recovered yet, cannot write to the [null] index
ERROR: Failed to set password for user [apm_system].
I entered the same password for all these elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user. What wrong did I do here, logging in elastic with new password doesn't work. Thanks.
Update
Config is the same on both nodes, except the network.host which is the private IP address of each node
elasticsearch.yml
network.host: es-ip-1
discovery.zen.ping.unicast.hosts: [es-ip-1, es-ip-2, es-ip-3]
discovery.zen.minimum_master_nodes: 2
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

Figured it out, gotta copy the cert to all the nodes, in this case it's elastic-certificates.p12.

Conditional enabling of HTTPS in Springboot application

I would like to enable or disable the SSL/TLS with external configuration which can be provided during the application startup.
The application should support all crud operations for http and https.
## SSL
server.port=8081
server.ssl.key-store=file:C:\\Users\\karthik\\hnm.p12
server.ssl.key-store-password=C*GSYS
server.ssl.keyStoreType=PKCS12
These properties are defined in application.properties
#Spring Security
security.require-ssl=false
Since the above property is deprecated, how can i achieve it without using the profiles.

To disable SSL, you can use:
server.ssl.enabled = false
Have a look at the server properties documentation for details.

The properties if defined in application.yml
server:
tomcat:
accesslog:
enabled: true
ssl:
key-store-type: PKCS12
key-store: file:C:\\Users\\karthik\\hnm.p12
enabled: true
protocol: TLS
key-store-password: C*GSYS
enabling and disabling the HTTPS can be achieved without code change.
Tried and tested in Sprint boot 2.2.4.RELEASE

Spring Boot project with SSL / HTTPS not working on AWS Elastic Beanstalk

My Spring Boot project works fine on https / ssl, when serving locally, using a p12 cert, but fails when uploading to AWS Elastic Beanstalk.
The following is the application.properties configuration:
security.require-ssl=true
server.use-forward-headers=true
server.port=8443
server.ssl.key-store: classpath:keystore.p12
server.ssl.key-store-password: jonathan
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
The WebSecurityConfigurerAdapter subclass, configure(HttpSecurity http) method, contains the following line, to enable HTTPS / SSL:
http.requiresChannel().antMatchers("/**").requiresSecure();
Attached is classic load configurer configuration, inside AWS elastic beanstalk console:
Here is the SSL Certificate issued with the grasshapper.net domain, under AWS Certificate Manager:
I also have settings for under .ebextensions, the file with path is, src/main/resources/.ebextensions/.config (not sure if even needed):
option_settings:
aws:elb:listener:8443:
SSLCertificateId: [keeping private]
ListenerProtocol: HTTPS
InstancePort: 80
InstanceProtocol: HTTP
aws:elb:listener:80:
ListenerEnabled: false
Note (SSLCertifcateId): the ID is taken from the ARN, my AWS Certifcate manager SSL Certificate (if you expand the SSL Certificate you will see the ARN).

Does the proxy have a trusted IP address?
By default, IP addresses in 10/8, 192.168/16, 169.254/16 and 127/8 are
trusted. You can customize the valve’s configuration by adding an
entry to application.properties, as shown in the following example:
server.tomcat.internal-proxies=192\.168\.\d{1,3}\.\d{1,3}
Reference: https://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/html/howto-embedded-web-servers.html#howto-customize-tomcat-behind-a-proxy-server