Kibana: Better logging when there is a SSL certificate problem
Use case:
ES is enabled with certs signed by a CA. Kibana is configured to access the https URL for ES, but elasticsearch.ssl.ca is not set up (or pointing to an invalid ca cert).
Kibana keeps trying to connect to ES and repeatedly throws the warning:
log [00:18:09.562] [warning][elasticsearch] No living connections
log [00:18:12.129] [warning][elasticsearch] Unable to revive connection: https://localhost:9200/
However, there is no indication on the underlying cause. Other clients when connecting to a SSL-enabled ES without a valid ca cert will throw errors like "certificate verification", "Invalid certificate chain", etc.. It will be helpful for Kibana to report some client side SSL connection errors.
ppf2
All 4 comments
@elastic/kibana-security is this still the case . or good to be closed ?
rashmivkulkarni
on 14 Aug 2018
@elastic/kibana-operations
epixa
on 14 Aug 2018
@ppf2 I just tested this on Kibana and Elasticsearch on version 6.5.4 with the following setup:
Elasticsearch
Signed with self certificates (created accordingly the docs https://www.elastic.co/guide/en/elasticsearch/reference/6.5/configuring-tls.html#node-certificates) and with the following config:
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12
Kibana
Default Kibana config with the following overrides:
elasticsearch.hosts: ["https://localhost:9200"]
elasticsearch.ssl.certificateAuthorities: [ "elastic-stack-ca.pem" ]
If you paid attention to the Kibana logs, the very first elasticsearch error will be:
server log [04:16:00.335] [error][admin][elasticsearch] Request error, retrying
HEAD https://localhost:9200/ => Hostname/IP does not match certificate's altnames: Host: localhost. is not cert's CN: instance
Only after this first error we will start reading the next logs:
server log [04:16:18.025] [warning][admin][elasticsearch] Unable to revive connection: https://localhost:9200/
server log [04:16:18.026] [warning][admin][elasticsearch] No living connections
In case we wanna connect successfully to the elasticsearch with this self signed certificate we should add an extra config to the kibana.yml
elasticsearch.ssl.verificationMode: certificate
@ppf2 are you okay with closing the issue? I just think for the current version of elasticsearch-js the logs are being written to the console as they were intended to be.
mistic
on 4 Jan 2019
Yah, this was from 3+yrs ago. If the latest is writing out more information, we are good to close, thx!
ppf2
on 4 Jan 2019
Related issues
Ginja
路
3Comments
ctindel
路
3Comments
bhavyarm
路
3Comments
LukeMathWalker
路
3Comments
snide
路
3Comments
Most helpful comment
@ppf2 I just tested this on Kibana and Elasticsearch on version 6.5.4 with the following setup:
Elasticsearch
Signed with self certificates (created accordingly the docs https://www.elastic.co/guide/en/elasticsearch/reference/6.5/configuring-tls.html#node-certificates) and with the following config:
Kibana
Default Kibana config with the following overrides:
If you paid attention to the Kibana logs, the very first elasticsearch error will be:
Only after this first error we will start reading the next logs:
In case we wanna connect successfully to the elasticsearch with this self signed certificate we should add an extra config to the
kibana.yml@ppf2 are you okay with closing the issue? I just think for the current version of
elasticsearch-jsthe logs are being written to the console as they were intended to be.