Error with enabling SSL w/CA Cert

mdnuts · April 30, 2019, 5:54pm

in trying to complete my ROR install, I got a system cert from my CA. I converted the PEM (PKCS7) and imported it into the keystore.js file. in the kibana.yml file I set
server.ssl.enabled: true
server.ssl.certificate: /path/to/the/pem (inside Kibana config directory)
server.ssl.key: /path/to/the/key (also inside kibana config directory)

then when i go to start kibana i see the error

FATAL Error: digital envelope routines:FVP_DecryptFinal_ex:bad decrypt

googling it showed me this page: but my PEM file has the chain included in it.

any pointers?

sscarduzio · April 30, 2019, 6:03pm

@mdnuts, your SSL settings are incorrect.

server.ssl.enabled: true 
server.ssl.certificate: "keystore.jks" # <-- a path relative to the folder where elasticsearch.yml is found (can also be an absolute path) 
server.ssl.key: "somepassword" # <-- just a string, and it's optional

The most difficult part here is to get the jks part right. It must contain the whole certificate chain.
The good part is that this task is no different from creating a java key store for Tomcat, and this is generally something that at least one admin in the company is experienced in doing.

I leave here the link to our documentation for configuring SSL in ROR

mdnuts · April 30, 2019, 7:08pm

yeah usually it’s hard to get that admin free. I read all of the docs a few times over but they’re not that detailed for it.

when I put this in the kibana.yml

server.ssl.enabled: true
server.ssl.certificate: “keystore.jks”
server.ssl.key: “somepassword”

First it says that the key and certificate are required, so i put in the path to the key file.
Then it says it won’t read the keystore.jks saying it doesn’t have permissions. (worked before with self-signed). if I copy the jks into the kibana config folder and chown it to kibana. Now it’s tossing me other errors i’m going to try and track down.

sscarduzio · April 30, 2019, 7:12pm

you mean elasticsearch.yml? I thought we were talking about enabling HTTPS in the port 9200 of Elasticsearch!

mdnuts · April 30, 2019, 7:24pm

no i’m trying to get SSL to work for Kibana.

I didn’t think anything went in elasticsearch.yml except for http.type:ssl_netty4 (plus the readonlyrest.yml)

sscarduzio · April 30, 2019, 7:29pm

Oh OK, well then HTTPS in Kibana web server is a feature of core Kibana. You can check Elastic’s docs.

mdnuts · April 30, 2019, 7:33pm

alright i’m going to go beat my head off the desk.

mdnuts · May 2, 2019, 6:07pm

in the event anyone else runs across this (or I do later on). I eventually got it to work.

I recreated the Key and CSR (my CA must love me) following this strictly

keytool -genkey                  \
        -alias     node01        \ 
        -keystore  node01.jks    \ 
        -keyalg    RSA           \
        -keysize   2048          \
        -validity  712           \
        -ext san=dns:node01.example.com,ip:192.168.1.1

then the CSR with this.

keytool -certreq                   \
        -alias      node01         \ 
        -keystore   node01.jks     \
        -file       node01.csr     \
        -keyalg     rsa            \
        -ext san=dns:node01.example.com,ip:192.168.1.1

I made sure this time to use the -ext option (docs say it’s optional) and made darn sure that the alias and the ext were exact. I didn’t use the keystore and it just installed it locally.

Then I saved the Key, the base64 Certificate, the PKCS7 version locally - converted the PKCS7 to PEM and set my Kibana to look for the crt, key and the pem.