Time to read:
In this post, we are going to continue our series on how to install Elastic (ELK) stack1 on Fedora 39. This post specifically will cover how to configure Transport Layer Security (TLS) between the Elasticsearch service and the Kibana service.
Even if you are running your ELK stack services all on a single device it is still recommended to use TLS for communication between the services.
This will require that you already have Elasticsearch and Kibana installed and configured ready to go. If you need to see how to install Elasticsearch then click here. If you need to see how to install Kibana then click here. Additionally, I am going to assume that you have a Certificate Authority (CA) or some way to issue TLS certificates from a common trust hierarchy.
- SECTION I – Certificates
- SECTION II – Configure Kibana
- SECTION III – Configure Elasticsearch
- SECTION IV – Footnotes
SECTION I – Certificates
To start need to get the TLS certificates that we are going to configure into the correct place on your servers. For reference I have both Elasticsearch and Kibana running on the same server so make sure you carry out the actions on the relevant server for your set up.
SECTION I – A – Create Certificates
In my set up I am going to use OpenSSL to generate the Certificate Signing Request (CSR) and then use my Microsoft Certificate Services CA to sign those CSRs.
Start by creating a request file using the following command:
vi req.conf
[req]
default_bits = 2048
distinguished_name = <FQDN>
req_extensions = v3_req
prompt = no
[<FQDN>]
C = GB
CN = <FQDN>
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = <FQDN>
DNS.2 = <Alternative DNS Name>
IP.1 = <Device IP>
DNS.3 = <Alternative DNS Name>Example 1 – req.conf
Use the following command to generate the CSR and key:
openssl req -out <filename>.csr -newkey rsa:2048 -nodes -keyout <filename>.key -config req.conf
Now using that generated CSR get it signed by your CA and when you download the certificate from your CA make sure it is in a ‘Base64’ format and you download the certificate and chain. If using a Microsoft CA then it will be in the P7B format.
Get that certificate onto the server and now we need to convert the .p7b certificate to a .crt format. Use the following command to do so:
openssl pkcs7 -in <filename>.p7b –print_certs -out <filename>.crt
Now repeat this so that you end up with a seperate TLS certificate and key for both Kibana and Elasticsearch. You also need to make sure that you have the CA certificate chain in a .crt format on the server as well.
SECTION I – B – Make Certificate Folders
Now that we have our certificates we need to make the correct places to put those certificates.
For Kibana use the following command:
mkdir /etc/kibana/certs
For Elasticsearch use the following command:
mkdir /etc/elasticsearch/certs
SECTION I – C – Set Certificate Permissions and Ownership
Now you need to copy the CA.crt file into both Kibana and Elasticsearch certs directories and then copy the respective .crt and .key files into the Kibana and Elasticsearch certs directories.
Once you have the certs in the correct directories use the following commands to set the correct file permissions and ownership:
chown kibana:kibana /etc/kibana/certs/*
chown elasticsearch:elasticsearch /etc/elasticsearch/certs/*chmod 644 /etc/kibana/certs/*
chmod 644 /etc/elasticsearch/certs/*
SECTION II – Configure Kibana
Now we have the correct certificates in the correct places we can configure Kibana to use the TLS certificate that we have generated for it.
Use the following command to open the Kibana configuration file:
vi /etc/kibana/kibana.yml
Make sure that your Kibana configuration file looks similar to Example 2. NOTE: the ‘https’ for the Elasticsearch host.
server.ssl.enabled: true
server.ssl.certificate: /usr/share/kibana/certs/<Filename>.crt
server.ssl.key: /usr/share/kibana/certs/<Filename>.key
elasticsearch.ssl.certificateAuthorities: [/etc/kibana/certs/<CA>.crt]
elasticsearch.hosts: ['https://<Elasticseach Host IP>:9200']Example 2 – kibana.yml
Now with that configuration file changed and saved. Restart the Kibana service to apply those changes using the following command:
systemctl restart kibana
SECTION III – Configure Elasticsearch
Finally, we can configure Elasticsearch to use the TLS certificate that we generated for it.
Use the following command to open the Elasticsearch configuration file:
vi /etc/elasticsearch/elasticsearch.yml
Make sure that your Kibana configuration file looks similar to Example 3.
# Enable security features
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
enabled: true
verification_mode: full
key: /etc/elasticsearch/certs/<filename>.key
certificate: /etc/elasticsearch/certs/<filename>.crt
certificate_authorities: ["/etc/elasticsearch/certs/<CA>.crt"]
# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
enabled: true
verification_mode: full
key: /etc/elasticsearch/certs/<filename>.key
certificate: /etc/elasticsearch/certs/<filename>.crt
certificate_authorities: ["/etc/elasticsearch/certs/<CA>.crt"]Example 3 – elasticsearch.yml
Now with that configuration file changed and saved. Restart the Elasticsearch service to apply those changes using the following command:
systemctl restart elasticsearch
SECTION IV – Footnotes
- ELK Stack – this is a term used to refer to multiple services that have an end goal of ingesting data from any source in any format and providing a way to reliably and securely; search, analyse and visualise that data. ↩︎
Knowledge Addict 
Leave a comment