Kibana SSL Generation - farukerdem34/es-ansible GitHub Wiki

๐Ÿ”’ SSL Certificate Preparation and Distribution for Kibana

๐ŸŽฏ Purpose

  • Automate generation of SSL certificates for Kibana using Elasticsearch CA credentials.
  • Distribute certificates securely between nodes.
  • Configure Kibana to use these certificates for encrypted communication.

๐Ÿ› ๏ธ Playbook Workflow

Part 1: Certificate Creation on Elasticsearch Master

  1. Show Secure Password from Keystore

    • Retrieves the password for the Elasticsearch HTTP SSL keystore.

  2. Extract CA Private Key

    • Uses OpenSSL to extract the private key from the PKCS#12 (.p12) keystore, enabling certificate signing.

  3. Generate PEM Certificate for Kibana

    • Runs elasticsearch-certutil to create a PEM certificate for Kibana, signed by the extracted CA, using Kibanaโ€™s IP address.
    • Output is a zipped archive (kibana.zip).

Part 2: Certificate Distribution and Setup on Kibana Host

  1. Copy Certificate Archive and CA Cert

    • Uses Ansibleโ€™s synchronize and copy modules (with delegation) to transfer files from the elasticsearch_master host to the kibana host.

  2. Ensure Certificates Directory Exists

    • Creates /etc/kibana/certs directory with proper ownership and permissions.

  3. Unzip Certificate Archive

    • Extracts all certificate files from kibana.zip into the certificates directory.

  4. Move and Secure CA Certificate

    • Moves the CA certificate to its final location and sets its ownership and permissions.

๐Ÿ“ฆ Variables Used

  • es_bin_path: Path to Elasticsearch binaries.
  • certs_path: Path to Elasticsearch certificates.
  • output_path: Temporary output directory for generated files.

๐Ÿ”‘ Security Notes

  • All certificate and key operations use secure passwords from the keystore.
  • Files are transferred securely and directory permissions are set to limit access to the kibana user and group.
  • Ensure that the playbook runs with proper privileges (become: true).

๐Ÿš€ Usage

Run the playbook with your inventory:

ansible-playbook -i <inventory_file> ssl_cert_kibana.yml

Ensure your hosts are organized under the appropriate inventory groups (elasticsearch_master, kibana).

๐Ÿง Troubleshooting

  • Check for permissions errors when accessing or moving certificate files.
  • Ensure all delegate tasks specify correct source and destination hosts.
  • Validate that /etc/kibana/certs contains the expected certificate files after playbook execution.