You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Original install method (e.g. download page, yum, from source, etc.): source
Describe the bug: Kibana doesn't properly establish trust for server certificates that have an empty Subject and a valid Subject Alternative Name (SAN). This problem can be encountered any place in Kibana that establishes an outbound HTTPS connection.
Steps to reproduce:
Generate a certificate authority (CA)
Generate a certificate signing request (CSR) with an empty Subject and a valid Subject Alternative Name (SAN), then sign it with the CA to produce the server certificate
Start Elasticsearch with the new server certificate
Expected behavior: Kibana should connect to Elasticsearch and properly trust the TLS certificate. According to RFC 5280 section 4.1.2.6, an end-entity certificate does not have to have a Subject set to be valid.
Provide logs and/or server output (if relevant): As described above, this problem can be encountered any place in Kibana that establishes an outbound HTTPS connection. The specific error message is: Hostname/IP does not match certificate's altnames: Cert is empty. Sample server output:
server log [14:07:05.698] [error][admin][elasticsearch] Request error, retrying
GET https://localhost:9200/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip => Hostname/IP does not match certificate's altnames: Cert is empty
server log [14:07:05.702] [error][data][elasticsearch] Request error, retrying
GET https://localhost:9200/_xpack => Hostname/IP does not match certificate's altnames: Cert is empty
server log [14:07:05.705] [error][data][elasticsearch] Request error, retrying
HEAD https://localhost:9200/.apm-agent-configuration => Hostname/IP does not match certificate's altnames: Cert is empty
server log [14:07:05.713] [warning][data][elasticsearch] Unable to revive connection: https://localhost:9200/
server log [14:07:05.713] [warning][data][elasticsearch] No living connections
server log [14:07:05.714] [warning][licensing][plugins] License information could not be obtained from Elasticsearch due to Error: No Living connections error
server log [14:07:05.716] [info][plugins][searchprofiler] You cannot use searchprofiler because license information is not available at this time.
server log [14:07:05.718] [warning][admin][elasticsearch] Unable to revive connection: https://localhost:9200/
server log [14:07:05.718] [warning][admin][elasticsearch] No living connections
server log [14:07:05.719] [error][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes.
server log [14:07:05.720] [warning][data][elasticsearch] Unable to revive connection: https://localhost:9200/
server log [14:07:05.720] [warning][data][elasticsearch] No living connections
Could not create APM Agent configuration: No Living connections
Any additional context: Kibana relies on the Node platform for TLS certificate validation. This problem was identified in nodejs/node#11771 and fixed in nodejs/node#22906. The fix is applied to Node version 13.3.0+ and 12.14.1+. However, Kibana currently uses Node 10.19.x.
The text was updated successfully, but these errors were encountered:
jportner
added
bug
Fixes for quality problems that affect the customer experience
triaged
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
labels
Feb 6, 2020
Kibana version: 7.6 and below
Original install method (e.g. download page, yum, from source, etc.): source
Describe the bug: Kibana doesn't properly establish trust for server certificates that have an empty Subject and a valid Subject Alternative Name (SAN). This problem can be encountered any place in Kibana that establishes an outbound HTTPS connection.
Steps to reproduce:
Script to generate such a certificate
Expected behavior: Kibana should connect to Elasticsearch and properly trust the TLS certificate. According to RFC 5280 section 4.1.2.6, an end-entity certificate does not have to have a Subject set to be valid.
Provide logs and/or server output (if relevant): As described above, this problem can be encountered any place in Kibana that establishes an outbound HTTPS connection. The specific error message is:
Hostname/IP does not match certificate's altnames: Cert is empty
. Sample server output:Any additional context: Kibana relies on the Node platform for TLS certificate validation. This problem was identified in nodejs/node#11771 and fixed in nodejs/node#22906. The fix is applied to Node version 13.3.0+ and 12.14.1+. However, Kibana currently uses Node 10.19.x.
The text was updated successfully, but these errors were encountered: