Unable to use HTTPS after adding SSL configs in readonlyrest

1

Hi Team,

I was trying to use the HTTPS authentication in my ELK Stack, but it is not working. I have used the existing keystore.jks in readonlyrest.yml file.

Elasticsearch is getting started on HTTP but not on HTTPS, whereas Kibana gives “Kibana server is not ready yet”

I have added below in elasticsearch.yml
http.type: ssl_netty4
transport.type: ror_ssl_internode

readonlyrest.yml:

readonlyrest:
        enable: true
        access_control_rules:
        - name: "Basic Authentication to get started with"
          indices: ["*"]
          type: "allow"
          auth_key: "xxx:yyy"

        ssl:
          keystore_file: "/etc/elasticsearch/keystore.jks"
          keystore_pass: xxxx
          key_pass: xxxx

        ssl_internode:
          keystore_file: "/etc/elasticsearch/keystore.jks"
          keystore_pass: xxxx
          key_pass: xxxx
          certificate_verification: true

And have updated the elasticsearch url from HTTP to HTTPS in kibana.yml.

Filebeat.yml

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /xxxxx/logs/*
  setup.template.enabled: false

output.logstash:
  hosts: ["log-01:5044", "log-02:5044", "log-03:5044"]
  #enabled: true
  loadbalance: true

setup.kibana:
  host: "xxxx:5601"

Error logs in Elasticsearch

[2019-11-28T06:57:30,454][INFO ][o.e.l.LicenseService ] [cs-es-node-01] license [1bcd9dd7-3a24-475a-a401-a97df98ac161] mode [basic] - valid
[2019-11-28T06:57:30,547][INFO ][t.b.r.u.SSLCertParser$ ] [cs-es-node-01] ROR SSL: attempting with JKS keystore…
[2019-11-28T06:57:30,621][INFO ][t.b.r.u.SSLCertParser$ ] [cs-es-node-01] ROR SSL: ssl.key_alias not configured, took first alias in keystore: hellenicacademicandresearchinstitutionsrootca2011
[2019-11-28T06:57:30,625][ERROR][t.b.r.u.SSLCertParser$ ] [cs-es-node-01] ROR SSL: Failed to load SSL certs and keys from JKS Keystore! MalformedSslSettings: Private key not found in keystore for alias: hellenicacademicandresearchinstitutionsrootca2011
tech.beshu.ror.utils.MalformedSslSettings: Private key not found in keystore for alias: hellenicacademicandresearchinstitutionsrootca2011
at tech.beshu.ror.utils.SSLCertParser$.$anonfun$tryRun$1(SSLCertParser.scala:79) ~[core-1.18.8.jar:?]
at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23) ~[scala-library-2.12.9.jar:?]
at scala.util.Try$.apply(Try.scala:213) ~[scala-library-2.12.9.jar:?]
at tech.beshu.ror.utils.SSLCertParser$.tryRun(SSLCertParser.scala:55) ~[core-1.18.8.jar:?]
at tech.beshu.ror.utils.SSLCertParser$.run(SSLCertParser.scala:37) [core-1.18.8.jar:?]
at tech.beshu.ror.es.ssl.SSLNetty4HttpServerTransport$SSLHandler.$anonfun$new$1(SSLNetty4HttpServerTransport.scala:64) [readonlyrest-1.18.8_es7.3.2.jar:?]

Error logs in Kibana

“message”:“PollError No Living connections”}
“message”:“No living connections”}

Please help me. I am a newbie in ELK and I know i am doing something wrong here.

Br
Pankaj N

2

How did you create the cert?

3

Hi,

I have used the exisitng .jks file which i am using with my JENKINS CI/CD tool. I simply renamed it to keystore.jks

And as per check, keystore.jks is a valid one,

$ keytool -list -v -keystore keystore.jks -storepass xxxx | grep -i valid

Valid from: Tue Dec 06 19:19:52 IST 2011 until: Mon Dec 01 19:19:52 IST 2031

Valid from: Thu Dec 05 18:53:33 IST 2002 until: Sun Dec 05 18:53:33 IST 2032

Valid from: Thu Oct 18 17:30:50 IST 2007 until: Mon Oct 18 17:30:50 IST 2032

Valid from: Mon Nov 27 05:30:00 IST 2006 until: Thu Jul 17 05:29:59 IST 2036

Valid from: Tue Dec 23 17:44:06 IST 2003 until: Sun Jan 21 17:06:54 IST 2024

Valid from: Fri Jan 13 01:56:32 IST 2012 until: Mon Jan 13 01:56:32 IST 2042

Valid from: Wed Nov 08 01:12:28 IST 2006 until: Tue Jan 01 01:22:06 IST 2030

Valid from: Fri Feb 12 23:45:23 IST 2016 until: Tue Feb 12 23:45:23 IST 2041

Valid from: Mon Oct 19 13:13:30 IST 2015 until: Fri Oct 19 13:13:30 IST 2035

Valid from: Thu Jan 12 22:57:44 IST 2012 until: Sun Jan 12 22:57:44 IST 2042

Valid from: Wed May 20 14:08:15 IST 2009 until: Tue Dec 31 14:08:15 IST 2030

Br
Pankaj

4

Excellent, how does the configuration look like it in the other programs that use it successfully?