1

RHEL7 Elastic Stack 6.7.1 Not using X-Pack. (following this guide)

I'm having trouble configuring SSL on Kibana over 5601. First I generated a key and then I generated a CSR and sent it to the CA. I retrieved the cert and have two available certs. Base 64 encoded and Base 64 encoded with CA certificate chain in pkcs7 format.

I retrieved both, put the Base64 in a mycert.cer file, put the pcks7 one in a mycert.p7b file. Converted the pcks7 into pem with

openssl pkcs7 -print_certs -in /etc/kibana/certs/mycert.p7b -out /etc/kibana/certs/mycert.pem

I put/made sure that .key, .cer and .pem were in the /etc/kibana/cert folder and changed ownership:group to kibana.

in kibana.yml I put 

server.ssl.enabled: true 
server.ssl.certificate:/etc/kibana/certs/mycert.cer
server.ssl.key: /etc/kibana/certs/mycert.key 
elasticsearch.ssl.certificate: /etc/kibana/certs/mycert.pem

Originally i created the CSR with a CN of

myhost.mydomain.tld

then after it failed i created one with 

https://myhost.mydomain.tld:5601

When I try to start Kibana i get an error message of:

digital envelope routines:EVP_DecryptFinal_ex:bad decrypt

In trying to search on the subject I see that it can be caused by incompatible OpenSSL versions - but i'm on the same system so that seems unlikely.

--update-- To add to this, i just created a self-signed cert & ca and that started Kibana right up and it is accessible. Makes me believe the problem is with the ca signed cert chain.

Chasester
  • 111
  • 5

1 Answers1

0

so I solved it. I believe the error part was I didn't have the -ext properly set.

I recreated the Key and CSR (my CA must love me) following this strictly

keytool -genkey                  \
        -alias     node01        \ 
        -keystore  node01.jks    \ 
        -keyalg    RSA           \
        -keysize   2048          \
        -validity  712           \
        -ext san=dns:node01.example.com,ip:192.168.1.1

then the CSR with this.

keytool -certreq                   \
        -alias      node01         \ 
        -keystore   node01.jks     \
        -file       node01.csr     \
        -keyalg     rsa            \
        -ext san=dns:node01.example.com,ip:192.168.1.1

I made sure this time to use the -ext option (docs say it's optional) and made darn sure that the alias and the ext were exact. I didn't use the keystore and it just installed it locally.

Then I saved the Key, the base64 Certificate, the PKCS7 version locally - converted the PKCS7 to PEM and set my Kibana to look for the crt, key and the pem.

Chasester
  • 111
  • 5