这篇文章我首先发布在Elastic Forum，因为要找到一个使能kibana 和 Elasticsearch 之间加密通信的方法，我发帖求助，其中一些人给了我错误的解答，Elasticsearch的在线文档有些内容没有讲清楚。我自己在论坛大侠的提示下，试了好几种方法才搞定。
我用的是Elasticsearch kibana 6.5, CentOS 7.
(1) generate server certificate for kibana
Use elasticsearch-certutil in the installation directory of elasticsearch, since kibana installation directory has no such utility
But you need to create a yml file for the setting of subject Alternative name, which is indispensable for TLS/SSL certification by chrome browser.
In my case, it is kibanacert.yml and its contents are:
instances: - name: "kibana-server" dns: - "kibana.node.cn"
Here “ kibana.node.cn” is the subject Alternative name.
Also, you need to specify
--pem for the output of separate key and certificate files rather than a single .P12 file, from which cert and key files derived can’t be parsed by kibana ( it is probably a bug of kibana). In my case, it is:
$ elasticsearch-certutil cert --silent --pem --in kibanacert.yml --out kibana-server.zip
it would prompt you with password, you just input your password and it would succeed.
Now you have kibana-server.zip file, move it to kibana installation directory.
it would create two new directories, one named
ca for storing of
ca.crt, which is “Elastic Certificate Tool Autogenerated CA”, the other named
kibana-server for storing of
kibana-server.crt which is the certificate of kibana server, and
kibana-server.key, which is the private key of kibana server.
(2) Set kibana host address in kibana.yml
In the config/kibana.yml, Specifies the address to which the Kibana server will bind.
Please note that it must be set the same as the subject Alternative name of the certificate generated above.
In root mode, add the host name in /etc/hosts, i.e. add one line with the ip address of the server followed by space and the host name, otherwise the browser can’t parse the host name.
(3) Set server certificate and private key in kibana.yml
In config/kibana.yml , enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
server.ssl.enabled: true server.ssl.certificate: /path to the certificate/kibana-server.crt server.ssl.key: /path to the key/kibana-server.key
(4) Configure Kibana to connect to Elasticsearch via HTTPS:
Just follow the steps in
must be the same as the one you created for elasticsearch.
(5) run bin/kibana
should run successfully
(6) import certificate files in chrome browser
Merge the certificate and key into one .p12 file
openssl pkcs12 -export -out kibana-server.p12 -inkey kibana-server.key -in kibana-server.crt
The kibana-server.p12 file is created.
In the Chrome Settins→Advanced→Manage certificate, in “Your certificate”, import the
kibana-server.p12. In “Authorities”, import the
ca.crt and select “Trust this certificate for identifying website”.
(7) run chrome browser
It would display a window for you to log-in If your Elasticsearch is protected with basic authentication or it would automatically connect to elasticsearch. Now it is done.