-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
change to have kibana --ssl cli option use more recent certs #57933
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested this locally and it works, LGTM on behalf of the Security team. Thanks!
// functional tests. Once that is done, the existing test cert/key at DEV_SSL_CERT_PATH and DEV_SSL_KEY_PATH can be deleted. | ||
set('server.ssl.certificate', DEV_SSL_CERT_PATH); | ||
set('server.ssl.key', DEV_SSL_KEY_PATH); | ||
set('server.ssl.certificate', KBN_CERT_PATH); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
set('server.ssl.certificate', KBN_CERT_PATH); | |
set('server.ssl.certificateAuthorities', CA_CERT_PATH); | |
set('server.ssl.certificate', KBN_CERT_PATH); |
Nit: This isn't required to make things work, but I would set the server.ssl.certificateAuthorities
here. This ensures that the Kibana server will send the CA certificate to clients along with the server certificate.
Also you'd need to add another ensureNotDefined
above for this setting.
Before and after
Before:$ keytool -printcert -sslserver localhost:5601
Certificate #0
====================================
Owner: CN=kibana
Issuer: CN=Elastic Certificate Tool Autogenerated CA
Serial number: d356920f65ccd88ba8d90c16114a1dc5f26999aa
Valid from: Fri Dec 27 12:03:42 EST 2019 until: Sat Dec 14 12:03:42 EST 2069
Certificate fingerprints:
SHA1: 10:A4:C7:7E:07:C4:9B:A0:A6:57:FD:70:78:7A:EE:BF:BD:CB:27:2C
SHA256: 66:7B:31:92:7D:4F:68:C0:40:08:24:E3:9B:2B:7F:CD:D5:0F:8B:E6:13:0D:E5:FF:62:2B:B9:24:DF:65:46:1C
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 1A ED 26 0E 7B C3 46 70 5D 34 11 BC 0F 1C 0F 75 ..&...Fp]4.....u
0010: 60 2B 07 49 `+.I
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: localhost
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0B 07 51 28 DB 73 37 4A CF 0C B0 56 B3 57 E4 F0 ..Q(.s7J...V.W..
0010: 71 BD CF 98 q...
]
]
After:
$ keytool -printcert -sslserver localhost:5601
Certificate #0
====================================
Owner: CN=kibana
Issuer: CN=Elastic Certificate Tool Autogenerated CA
Serial number: d356920f65ccd88ba8d90c16114a1dc5f26999aa
Valid from: Fri Dec 27 12:03:42 EST 2019 until: Sat Dec 14 12:03:42 EST 2069
Certificate fingerprints:
SHA1: 10:A4:C7:7E:07:C4:9B:A0:A6:57:FD:70:78:7A:EE:BF:BD:CB:27:2C
SHA256: 66:7B:31:92:7D:4F:68:C0:40:08:24:E3:9B:2B:7F:CD:D5:0F:8B:E6:13:0D:E5:FF:62:2B:B9:24:DF:65:46:1C
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 1A ED 26 0E 7B C3 46 70 5D 34 11 BC 0F 1C 0F 75 ..&...Fp]4.....u
0010: 60 2B 07 49 `+.I
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: localhost
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0B 07 51 28 DB 73 37 4A CF 0C B0 56 B3 57 E4 F0 ..Q(.s7J...V.W..
0010: 71 BD CF 98 q...
]
]
Certificate #1
====================================
Owner: CN=Elastic Certificate Tool Autogenerated CA
Issuer: CN=Elastic Certificate Tool Autogenerated CA
Serial number: 5b46eb844b582b7b540589579d46be00c9805fa9
Valid from: Fri Dec 27 12:02:32 EST 2019 until: Sat Dec 14 12:02:32 EST 2069
Certificate fingerprints:
SHA1: 86:5D:45:49:A1:18:5A:33:66:CD:01:40:A3:4D:2C:45:C1:60:7C:7B
SHA256: AE:E4:15:52:63:D1:8B:E3:69:DB:BD:48:08:F0:E5:9D:55:2D:3E:F1:56:69:12:80:71:74:78:BF:E1:7D:BE:55
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 1A ED 26 0E 7B C3 46 70 5D 34 11 BC 0F 1C 0F 75 ..&...Fp]4.....u
0010: 60 2B 07 49 `+.I
]
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 1A ED 26 0E 7B C3 46 70 5D 34 11 BC 0F 1C 0F 75 ..&...Fp]4.....u
0010: 60 2B 07 49 `+.I
]
]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
validated that my "before" looks like yours, before making the change ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and validated that my "after" also looks like yours
Seems like the following files are no longer needed:
Doing some searching on the file names, and exports in I'll try deleting all these in a separate commit, see how CI reacts. |
I was pretty conservative in the summary regarding the "check list", I don't anything that is there now is relevant. I don't think there are breaking API changes, unless the new "disallowing The only thing I'm kinda wondering about is whether we have docs-for-devs that might point them at the old creds (eg, "you can add these to your Keychain" kinda thing). |
Are there some appropriate feature / team labels I should use for this PR? |
Pinging @elastic/kibana-security (Team:Security) |
Added labels |
@jportner Are there any other approvals needed, or other concerns to be addressed, or is this good to merge to master? |
@elasticmachine merge upstream |
@elasticmachine merge upstream |
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
…#57933) * change to have --ssl cli option use more recent certs * also configure 'server.ssl.certificateAuthorities' per PR review * delete theoretically now-unused ssl creds
…dex-server-side * 'master' of github.com:elastic/kibana: (34 commits) [Upgrade Assistant] Remove "boom" from reindex service (elastic#58715) [data] Clean up QueryStringInput unit tests (elastic#58704) [SIEM] Detection Fix typo in Adobe Hijack Persistence rule (elastic#58804) Restores [SIEM][CASE] Init Configure Case Page (elastic#58121) (elastic#58924) Skips additional failing Ingest Manager integration tests Skips failing Ingest Manager integration tests Move dev tools styles to NP (elastic#58855) change to have kibana --ssl cli option use more recent certs (elastic#57933) disable failing suite (elastic#58942) Don't start pollEsNodesVersion unless someone subscribes (elastic#56923) Do not write UUID file during optimize process (elastic#58899) [Endpoint] Task/add nav bar (elastic#58604) [Metric Alerts] Add backend support for multiple expressions per alert (elastic#58672) [Metrics Alerts] Fix alerting on a rate aggregation (elastic#58789) disable flaky suite (elastic#55953) Revert "[SIEM] apollo@3 (elastic#51926)" and "[SIEM][CASE] Init Confi… (elastic#58806) [resubmit] Prep agg types for new platform (elastic#58893) [Lens] Allow number formatting within Lens (elastic#56253) [Autocomplete] Use settings from config rather than UI settings (elastic#58784) Improve action and trigger types (elastic#58657) ... # Conflicts: # x-pack/plugins/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts
Summary
Trying to fix the situation when running Kibana via
yarn start --ssl
, where:The cert/key used currently are here:
kibana/src/cli/dev_ssl.js
Lines 20 to 22 in 76d475a
This PR changes to use these instead: https://github.com/elastic/kibana/tree/master/packages/kbn-dev-utils/certs
The good news is when I run this code via
yarn start --ssl
, I'm able to get a Chrome session not complaining about invalid certs, and the red error log messagescertificate unknown
are no longer printed.Note that the source location where these paths are changed includes the following TODO comment, which I deleted for this PR:
kibana/src/cli/serve/serve.js
Lines 124 to 125 in 76d475a
As such, I expect CI to fail, but I'm curious how badly it will fail :-)
Checklist
For maintainers