Kibana: 'Dev Tools' feature does not work with SSL transport (not auth) configured on ES

Created on 2 Nov 2016 · 11Comments · Source: elastic/kibana

'Dev Tools' console fails when trying to communicate with ES cluster over SSL (signed by enterprise CA) with the following error:

Error connecting to 'https://elasticsearch:9200/_search':
Client request error: unable to verify the first certificate

Additionally, in the browser console:

Failed to load resource: https://elasticsearch:5601/api/console/proxy?uri=_search the server responded with a status of 502 (Bad Gateway)

At the same time Kibana itself works just fine , can access all indices and talk to ES over SSL.
It looks like 'Dev Tools' is a separate NodeJS app and it does not honour "ca:" option in kibana.yml.

To reproduce:

ES configured with SSL for HTTP (client transport only, no SSL auth) with appropriate cert signed by enterprise CA:

xpack.security.http.ssl.enabled: true
xpack.security.ssl.keystore.path:          /elasticsearch/config/store.jks
xpack.security.ssl.keystore.password:      blahblah
xpack.security.ssl.keystore.key_password:  blahblah

(https://es:9200 works OK with right cert presented to the user)

Kibana configured with SSL URL for ES and enterprise CA cert:

ca: /etc/pki/tls/certs/ca.crt
elasticsearch.url: "https://elasticsearch:9200"

Console Core bug

Source

nktl

Most helpful comment

Appears to be a duplicate issue: https://github.com/elastic/kibana/issues/7128#issuecomment-217177182

Try:

console.proxyConfig:
 - match:
    host: "*"
    port: "{9200..9202}"

   ssl:
    ca: "/etc/pki/tls/certs/ca.crt"

It's probably better for security to use the specific es endpoint hostname in place of "*" if possible.
This should fix it and remember to remove the workaround of disabling tls rejection if you've used that to get it working previously.

geekpete on 25 Nov 2016

👍3

All 11 comments

I have the same problem, even with self-signed certificates following the elastic guides. In kibana.yml I tried to set the elasticsearch.ssl.ca to the ca files from certgen, I tried elasticsearch.ssl.verify to true or false, restarting Kibana everytime, same obversation as nktl , Client request error: unable to verify the first certificate in the Dev Tools.

I opened a post on the x-pack forums about this. It seems like a bug, hope it can be fixed soon.

develxy on 3 Nov 2016

Found workaround:

add NODE_TLS_REJECT_UNAUTHORIZED=0 to /etc/default/kibana (or whatever file that sets env variable for the process in your Linux distro)

(of course this is disabling SSL validation check in Kibana globally)

nktl on 4 Nov 2016

I added export NODE_TLS_REJECT_UNAUTHORIZED=0 to the kibana script that comes in the download in the bin/ folder, and it is working now. For development/testing purposes this should be OK, thank you nktl

develxy on 7 Nov 2016

Appears to be a duplicate issue: https://github.com/elastic/kibana/issues/7128#issuecomment-217177182

Try:

console.proxyConfig:
 - match:
    host: "*"
    port: "{9200..9202}"

   ssl:
    ca: "/etc/pki/tls/certs/ca.crt"

geekpete on 25 Nov 2016

👍3

jjensn on 5 Dec 2016

I had the same problem as well, racked my brain and trolled this forum and others for a solution. After bringing up my dilemma to my Sr. Sys Admin he pointed out where I went wrong. The solution is definitely certificate related. The directions given by Elastic on how one creates a CSR are spot on, however; how to apply the CRT was not so clear, at least to me.

The fix for me was to ensure I used the signed CSR certificate—this certificate is the CSR and CA that signed it. This is not the server private key cert.

I am using the rpm elastic stack build on a single server in dev, so my elastic config is along /etc path:
My elasticsearch.yml
xpack.ssl.key: /etc/elasticsearch/x-pack/_privatekey_.pem
xpack.ssl.key.passphrase: _password_
xpack.ssl.certifcate: /etc/elasticsearch/x-pack/_publickey_.pem
xpack.ssl.certifcate_authorities: /etc/elasticsearch/x-pack/_signedCSR_.pem
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.enabled: true

My kibana.yml
server.ssl.cert: /etc/elasticsearch/x-pack/_publickey_.pem
server.ssl.key: /etc/elastcksearch/x-pack/_privatekey_.pem
elasticsearch.ssl.cert: /etc/elasticsearch/x-pack/_publickey_.pem
elasticsearch.ssl.key: /etc/elasticsearch/x-pack/_privatekey_.pem
elasticsearch.ssl.ca: /etc/elasticsearch/x-pack/_signedCSR_.pem

Hope this may help others troubleshoot their scenario, modify as needed

qucaci on 17 Jan 2017

👍1

Thanks for that detail, quacaci!

geekpete on 18 Jan 2017

I'm having the same problem.

elasticsearch.ssl.verify: false

doesn't help

zerthimon on 16 Feb 2017

This should be fixed with https://github.com/elastic/kibana/pull/9823 in the upcoming 5.3 release. Until then, the console.proxyConfig configuration mentioned above should do the trick.

cwurm on 16 Feb 2017

I am installing x-pack in kibana 6.2.4, but i can't install x-pack.
console is following

D:\elastickibana-6.2.4-windows-x86_64\bin>kibana-plugin install x-pack
Attempting to transfer from x-pack
Attempting to transfer from https://artifacts.elastic.co/downloads/kibana-plugins/x-pack/x-pack-6.2.4.zip
Error: Client request error: unable to verify the first certificate
Plugin installation was unsuccessful due to error "Client request error: unable to verify the first certificate"

How can i solve this problem?

vajin1125 on 31 May 2018

@vajin1125 are you running on a network behind a SSL proxy? If that is the case, this issue isn't the one that you're experiencing, and this issue is specifically around using the DevTools plugin in Kibana with SSL on Elasticsearch.

To get around the issue that I believe you're having, I'd suggest downloading the zip to "D:\elastic\x-pack-6.2.4.zip" and then installing using kibana-plugin install file:///D:/elastic/x-pack-6.2.4.zip