docker-elk: Kibana SSL problem to expose

Hi,

I am trying to expose Kibana to subdomain like watchlog.example.com via Cloudflare but I don’t know why it doesn’t works.

This is what Cloudflare shows: Error 525 SSL handshake failed

Here is my docker-compose.yml

  kibana:
    build:
      context: kibana/
      args:
        ELASTIC_VERSION: ${ELASTIC_VERSION}
    volumes:
      - ./kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml:ro,Z
      # (!) CA certificate. Generate using instructions from tls/README.md.
      - ./tls/kibana/elasticsearch-ca.pem:/usr/share/kibana/config/elasticsearch-ca.pem:ro,z
    ports:
      - "443:5601"
    environment:
      KIBANA_SYSTEM_PASSWORD: ${KIBANA_SYSTEM_PASSWORD:-}
    networks:
      - elk
    depends_on:
      - elasticsearch

and my kibana.yml

server.name: kibana
server.host: 0.0.0.0
elasticsearch.hosts: [ "https://elasticsearch:9200" ]
monitoring.ui.container.elasticsearch.enabled: true

## X-Pack security credentials
#
elasticsearch.username: kibana_system
elasticsearch.password: ${KIBANA_SYSTEM_PASSWORD}

##
## TLS configuration
## See instructions from README to enable.
##
elasticsearch.ssl.certificateAuthorities: [ "config/elasticsearch-ca.pem" ]
## Communications between Kibana and Elasticsearch
## see https://www.elastic.co/guide/en/kibana/current/configuring-tls.html#configuring-tls-kib-es
#
elasticsearch.ssl.certificateAuthorities: [ "config/elasticsearch-ca.pem" ]

Am I missing something ?

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 15

Most upvoted comments

For posterity, there is now a new section inside tls/README.md which explains how to enable TLS in the Kibana server (between web browsers and Kibana), as well as a sample certificate and key which Kibana is pre-configured to use when TLS is enabled.

+1
antoineco on Jun 26, 2022

@antoineco I tried everything from scratch and now it works (chmod 777 instead of o+rw)! Your tuto should be integrated somewhere on the documentation!

Thank you so much

+1
LonnyX on Jun 23, 2022

Did you cd to the tls directory before issuing the commands?

yes of course, I also tried to create the “tls” folder inside the elasticsearch container (which did not exists) and chmod it to 777 but still the same error…

You can see here: https://imgur.com/WCTQl9s

+1
LonnyX on Jun 23, 2022

Indeed, the tooling is inside the Elasticsearch container. You don’t need to execute commands on the running Elasticsearch instance though, you can simply run a temporary container on the side just to generate your certificates, then mount those certificates inside the Kibana container.

An example of this approach can be seen in tls/README.md. More specifically, the procedure is very similar to what’s described in the Elasticsearch HTTP certificate and CA PEM certificate section.

Demo

$ cd tls/

Generate the archive containing a new certificate and key:

$ docker run -ti --rm \
  -v ${PWD}:/usr/share/elasticsearch/tls \
  docker.elastic.co/elasticsearch/elasticsearch:8.2.3 \
  bin/elasticsearch-certutil cert --pem --ca tls/ca/ca.p12 --dns watchlog.example.com

(When prompted where to write certificates, provide the following path: tls/kibana-https.zip. The corresponding file will be available in the tls/ directory of the docker-elk repo, since the repo’s directory is mounted as a volume during the runtime of the container.)

Enter password for CA (tls/ca/ca.p12) : <leave blank>
Please enter the desired output file [certificate-bundle.zip]: tls/kibana-https.zip

Unzip the certificate and key:

$ sudo unzip kibana-https.zip
Archive:  kibana-https.zip
   creating: instance/
  inflating: instance/instance.crt
  inflating: instance/instance.key

Move the certificate and key:

$ sudo mv -v instance/instance.* kibana/
renamed 'instance/instance.crt' -> 'kibana/instance.crt'
renamed 'instance/instance.key' -> 'kibana/instance.key'

Verify that the certificate has the expected Subject Alternative Name:

$ openssl x509 -in instance/instance.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
...
        Issuer: CN = Elastic Certificate Tool Autogenerated CA
        Validity
            Not Before: Jun 23 12:16:44 2022 GMT
            Not After : Jun 22 12:16:44 2025 GMT
        Subject: CN = instance
...
        X509v3 extensions:
...
            X509v3 Subject Alternative Name:
                DNS:watchlog.example.com
...

Edit the Compose file to mount the certificate and key:

  kibana:
#...
    volumes:
      - ./kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml:ro,Z
      # (!) CA certificate. Generate using instructions from tls/README.md.
      - ./tls/kibana/elasticsearch-ca.pem:/usr/share/kibana/config/elasticsearch-ca.pem:ro,z
      - ./tls/kibana/instance.crt:/usr/share/kibana/config/instance.crt:ro,z
      - ./tls/kibana/instance.key:/usr/share/kibana/config/instance.key:ro,z

Edit the Kibana configuration to enable TLS:

# kibana.yml

server.ssl.enabled: true
server.ssl.certificate: config/instance.crt
server.ssl.key: config/instance.key

Restart Kibana, and access it over HTTPS (you will need to ignore warnings because your browser won’t trust docker-elk’s CA):

image

+1
antoineco on Jun 23, 2022
Read more comments on GitHub
← docker-elk: Kibana server is not ready yet
docker-elk: New install cannot authenticate, Compose keeps quotes in passwords read from the `.env` file →