I performed these steps on a Ubuntu 20.04 server configuration running vanilla Elasticsearch and Kibana 7.15.1.\u00a0 More information on this installation can be found here.<\/a><\/p>\n I own a domain called secognition.com, I registered it through https:\/\/www.gandi.net<\/a>.\u00a0 They offer many services relatively inexpensively.\u00a0 In this case, I wanted to add a subdomain to secognition.com and point the name to my new Elasticsearch server.\u00a0 I went into my domain configuration gandi.net and added delphi<\/em> as an A record.\u00a0 This creates the subdomain and I pointed it to the internal IP of my new server which was 10.255.100.100.\u00a0 You will want to stay logged into your domain configuration as one more step will be required in the certificate part of the procedure.<\/p>\n Small warning: Adding internal routable IPs to the internet DNS table is not recommended.\u00a0 Since I don’t have an internal DNS to point to, adding this won’t break anything.\u00a0 If ever you were to present your Elasticsearch server for use on the internet for folks to browse, you would need to change this internal IP to your new internet IP and modify your internal DNS to point to the internal IP.<\/p>\n Ok so we’ve added the DNS record, saved it and can ping the fully qualified domain name.\u00a0 Next, setup LetsEncrypt.<\/p>\n The next step involves installing some additional applications on your elasticsearch server.<\/p>\n The command above will install the certbot application to interact with LetsEncrypt.\u00a0 LetsEncrypt is a service from the Electronic Frontier Foundation (EFF) where they offer free encryption certificates that last for a period of 3 months.\u00a0 These certificates will need to be renewed, but the certbot can help out by automating this functionality.<\/p>\n Once certbot is installed, we can proceed to generate the certificates and download them to our new server.<\/p>\n The command above tells LetsEncrypt the following:<\/p>\n Once you enter the command you’ll be presented with a code to enter into your DNS records.<\/p>\n Something similar to:<\/p>\n Log back into your domain DNS management screen and create a TXT type record.<\/p>\n You will need to enter the _acme_challenge part as the hostname to your TXT.\u00a0 No need to add the .yourdomain.com part, this will be done automatically.<\/p>\n You will then enter the random code LetsEncrypt provided into the value part.\u00a0 Save the entry and press enter to continue the process, the certbot will attempt to validate the new TXT record.\u00a0\u00a0 This may take a few minutes. be patient.<\/p>\n Once the validation of the certbot is complete, the certificates will be saved in the \/etc\/letsencrypt directory.<\/p>\n Almost completed.\u00a0 Now we need to configure the certificates in Nginx and Kibana.\u00a0 Thankfully, certbot can do this for us for Nginx.<\/p>\n Replace delphi.yourserver.com with your own fully qualified domain name.<\/p>\n You should then see the following choices.\u00a0 Since we already have the certificates downloaded, choose 1 to not renew and replace the existing certs.<\/p>\n certbot will search for the nginx configuration file for your domain.\u00a0 The server_name entry should be the same as what you put into the certbot command.\u00a0 If found, certbot will ask if you want to\u00a0 modify the file to add the locations of the TLS certificates and give you a choice to redirect unencrypted traffic (port 80) to port 443 https. I chose 2.<\/p>\n Your nginx domain config file should resemble something like this now.<\/p>\n Make sure to modify the domain names (delphi.myserver.com) to your own domain names and restart the nginx process.<\/p>\n For Kibana, we’ll need to copy over the certificates to the \/etc\/kibana directory.\u00a0 I created a SSL directory and copied the letsencrypt certificates into the directory then changed the permissions and ownership.\u00a0 You will have to perform this step everytime the certificates are renewed.<\/p>\n In Kibana edit your \/etc\/kibana\/kibana.yml config as follows, uncomment the server. lines and add in the directories to your certificates:<\/p>\n Restart your kibana and elasticsearch processes to apply the new configuration<\/p>\n Check the status of your processes<\/p>\n Then attempt to browse using HTTPS to your Elasticsearch server.<\/p>\n I hope this was informative and saved you some time – I spent approximately 2 hours figuring out which entries to add and which to remove to make this work correctly.\u00a0 If all goes well this should not take more than 30 minutes.<\/p>\n Thanks for reading.\u00a0 Stay safe and let me know how things went in the comments if there are any steps I may have missed or ways to gain efficiencies in the process.<\/p>\n","protected":false},"excerpt":{"rendered":" Once in a while I reset my Elasticsearch config to stay up to date on new developments and see how I can improve my setup.\u00a0 I thought to add a secure certificate to the front end of my elastic instance.\u00a0 There’s alot of documents out there but not something that brings it all together.\u00a0 This… Setup a Domain (or Subdomain) for a Fully Qualified Domain Name:<\/h4>\n
LetEncrypt TLS Certificates Installation<\/h4>\n
![\"\"](\"https:\/\/secognition.com\/wp-content\/uploads\/2021\/10\/installcertbot.png\")
<\/p>\ncertbot --manual certonly -d delphi.yoursever.com -m <your e-mail address> --preferred-challenge dns --agree-tos<\/strong><\/span><\/pre>\n\n
_acme-challenge.yourserver.com<\/strong><\/span><\/code>\u00a0 with some code after it.<\/p>\nInstall the certificate in Nginx and Kibana<\/h4>\n
![\"\"](\"https:\/\/secognition.com\/wp-content\/uploads\/2021\/10\/certbot2.png\")
<\/p>\n![\"\"](\"https:\/\/secognition.com\/wp-content\/uploads\/2021\/10\/certbot2-1.png\")
<\/p>\n![\"\"](\"https:\/\/secognition.com\/wp-content\/uploads\/2021\/10\/certbot3.png\")
<\/p>\nserver {<\/strong>\r\n\r\nserver_name delphi.myserver.com;<\/strong>\r\n\r\nlocation \/ {<\/strong>\r\nproxy_pass https:\/\/localhost:5601;<\/strong>\r\nproxy_http_version 1.1;<\/strong>\r\nproxy_set_header Upgrade $http_upgrade;<\/strong>\r\nproxy_set_header Connection 'upgrade';<\/strong>\r\nproxy_set_header Host $host;<\/strong>\r\nproxy_cache_bypass $http_upgrade;<\/strong>\r\n}<\/strong>\r\n\r\nlisten 443 ssl; # managed by Certbot<\/strong>\r\nssl_certificate \/etc\/letsencrypt\/live\/delphi.myserver.com\/fullchain.pem; # managed by Certbot<\/strong>\r\nssl_certificate_key \/etc\/letsencrypt\/live\/delphi.myserver.com\/privkey.pem; # managed by Certbot<\/strong>\r\ninclude \/etc\/letsencrypt\/options-ssl-nginx.conf; # managed by Certbot<\/strong>\r\nssl_dhparam \/etc\/letsencrypt\/ssl-dhparams.pem; # managed by Certbot<\/strong>\r\n\r\n\r\n}server {<\/strong>\r\nif ($host = delphi.myserver.com) {<\/strong>\r\nreturn 301 https:\/\/$host$request_uri;<\/strong>\r\n} # managed by Certbot<\/strong>\r\n\r\n\r\nlisten 80;<\/strong>\r\n\r\nserver_name delphi.myserver.com;<\/strong>\r\nreturn 404; # managed by Certbot<\/strong>\r\n\r\n\r\n}<\/strong><\/span><\/pre>\ndave@delphi:~$ sudo service nginx restart<\/strong>\r\ndave@delphi:~$<\/strong><\/span><\/pre>\nmkdir \/etc\/kibana\/ssl<\/strong>\r\ncp -pr \/etc\/letsencrypt\/live\/delphi.myserver.com \/etc\/kibana\/ssl<\/strong>\r\nchmod 750 \/etc\/kibana\/ssl\/delphi.myserver.com<\/strong>\r\nchmod 640 \/etc\/kibana\/ssl\/delphi.myserver.com\/*<\/strong>\r\nchown -R root.kibana \/etc\/kibana\/ssl\/delphi.myserver.com\/<\/strong><\/span><\/pre>\nserver.ssl.enabled: true<\/strong>\r\nserver.ssl.certificate: \/etc\/kibana\/ssl\/delphi.myserver.com\/fullchain1.pem<\/strong>\r\nserver.ssl.key: \/etc\/kibana\/ssl\/delphi.myserver\/privkey1.pem<\/strong><\/span><\/pre>\ndave@delphi:~$ sudo service elasticsearch restart<\/strong>\r\n[sudo] password for dave:<\/strong>\r\ndave@delphi:~$ sudo service kibana restart<\/strong>\r\ndave@delphi:~$<\/strong><\/span><\/pre>\n![\"\"](\"https:\/\/secognition.com\/wp-content\/uploads\/2021\/10\/elaststat.png\")
![\"\"](\"https:\/\/secognition.com\/wp-content\/uploads\/2021\/10\/kibanastat.png\")
<\/p>\n![\"\"](\"https:\/\/secognition.com\/wp-content\/uploads\/2021\/10\/elasticwebhttps.png\")
<\/p>\n
Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[5],"tags":[],"class_list":["post-665","post","type-post","status-publish","format-standard","hentry","category-security"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/secognition.com\/index.php?rest_route=\/wp\/v2\/posts\/665","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secognition.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secognition.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secognition.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secognition.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=665"}],"version-history":[{"count":0,"href":"https:\/\/secognition.com\/index.php?rest_route=\/wp\/v2\/posts\/665\/revisions"}],"wp:attachment":[{"href":"https:\/\/secognition.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=665"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secognition.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=665"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secognition.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=665"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}