SSL certificate in Wazuh 4.1

Prachi Katakwar

unread,

Mar 26, 2021, 3:40:41 AM3/26/21

to Wazuh mailing list, miguel....@wazuh.com

Hi Team and Miguel,

GodMorgon

Hope you are doing good and its Friday today!!!!!

I want a guidance and go-ahead from you , in reference to my below query.

Our Kibana dashboard URL to open Wazuh console is NOT SECURE, something like below screenshot.

1.Now to make it secure, as per my company standards will create a conf file and execute the below command to generate the CSR

openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config config.cnf

2. Then would load the generated CSR in our company certificate portal to get the SSL certificate (crt )

3. Where should I copy the crt and private key in Wazuh server ? Such that the URL gets secured

Please guide me on the same.

BR

/Prachi

Pedro de Castro

unread,

Mar 26, 2021, 4:56:39 AM3/26/21

to Wazuh mailing list

Hi Prachi!

Good morning and good Friday for you as well.

I think what you are looking for is to encrypt the traffic between the browser and Kibana.

You can find full information here: https://www.elastic.co/guide/en/kibana/7.12/configuring-tls.html#configuring-tls-browser-kib

Specifically section 2b:

Otherwise, if your server certificate and private key are in PEM format:

Specify your server certificate and private key in kibana.yml:
server.ssl.certificate: "/path/to/kibana-server.crt"
server.ssl.key: "/path/to/kibana-server.key"

The following example is an extraction of a server I am running with HTTPS encryption using my own certificate:

server.ssl.enabled: true
server.ssl.certificate: "/usr/share/kibana/node-6_http.pem"
server.ssl.key: "/usr/share/kibana/node-6_http.key"
elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/root-ca.pem"]
elasticsearch.ssl.verificationMode: full

You can check /etc/kibana/kibana.yml and look for those settings, they will guide you where to place the .crt/.pem and .key files.

I hope it helps, regards,

Pedro.

Prachi Katakwar

unread,

Mar 26, 2021, 5:24:04 AM3/26/21

to Pedro de Castro, Wazuh mailing list

Hej Pedro,

Thank you so much for the quick response. You made my Day😊

Will try these steps and let you know in case I get stuck.

Thanks a tonnnnnnnn

BR

/Prachi

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9b21435a-324a-42d0-a555-5a174fa75917n%40googlegroups.com.

Prachi Katakwar

unread,

Mar 30, 2021, 8:28:05 AM3/30/21

to Pedro de Castro, Wazuh mailing list

Hej Pedro and Team,

Hope you are doing good.

Are you very sure on the steps for browsing WAZUH URL with valid certificate, my current URL is https://sekaissecdetection.hubseka.ericsson.net, just want to give the valid certificate such that NOT secure goes away.

I am very much confused, how should I proceed ?

Using my Company’s Certificate portal, .cer and .p7b extensions are produced after creating the csr as per my company’s certificate policy .

Now when I try to convert .CER to .CRT , below is the error I receive:

[root@sekaissecdetection certificate]# ls

sekaissecdetection.cer sekaissecdetection.cnf sekaissecdetection.csr sekaissecdetection.key

[root@sekaissecdetection certificate]# cat sekaissecdetection.cer

-----BEGIN CERTIFICATE-----

MIIGizCCBXOgAwIBAgIQAcDfbJ0/+4Tu56jIMYi1rjANBgkqhkiG9w0BAQsFADBZ

MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypE

aWdpQ2VydCBHbG9iYWwgRzIgVExTIFJTQSBTSEEyNTYgMjAyMCBDQTEwHhcNMjEw

MzMwMDAwMDAwWhcNMjIwNDA0MjM1OTU5WjCBgTELMAkGA1UEBhMCU0UxGTAXBgNV

BAgTEFN0b2NraG9sbSBDb3VudHkxEjAQBgNVBAcTCVN0b2NraG9sbTERMA8GA1UE

ChMIRXJpY3Nzb24xMDAuBgNVBAMTJ3Nla2Fpc3NlY2RldGVjdGlvbi5odWJzZWth

LmVyaWNzc29uLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANwu

ayh3nWgXj64beNER+hv2r8LldzDZn+GttntEr7rR7g72gWfRXHqa7bEryjFF1muE

a9347qr8pwkSQCNWWYzcpJFzIhj3mM2I1dCS48zB7+Bs/5pzisvAKFHAhXIYvKH0

Bhkkq9u8U7CfgdLeBbZWvizOn70XfGBpZ0qj2a4JdXXBBo1OIMBA1XIt7ENgmKc5

q3Y3J+ZQV7HgZrLgGNFT9akXDu6vigCbV0lTDgRGKV7/H9/NHurTFW8Nl1kv90gD

g1OAZYcOdcbx/Lv1KHZbdSwB/J6CaMKp/BT7AfYw44ePex2JrFkNmCO/cUfldWxR

jWyN80jcCnEaPsGDq/0CAwEAAaOCAyQwggMgMB8GA1UdIwQYMBaAFHSFgMBmx983

3s+9KTeqAx2+7c0XMB0GA1UdDgQWBBSo69xDhWPStt1sKkBawslVMEkxJzAyBgNV

HREEKzApgidzZWthaXNzZWNkZXRlY3Rpb24uaHVic2VrYS5lcmljc3Nvbi5uZXQw

DgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCB

mwYDVR0fBIGTMIGQMEagRKBChkBodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGln

aUNlcnRHbG9iYWxHMlRMU1JTQVNIQTI1NjIwMjBDQTEuY3JsMEagRKBChkBodHRw

Oi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxHMlRMU1JTQVNIQTI1

NjIwMjBDQTEuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQICMCkwJwYIKwYBBQUHAgEW

G2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCBhQYIKwYBBQUHAQEEeTB3MCQG

CCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTwYIKwYBBQUHMAKG

Q2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbEcyVExT

UlNBU0hBMjU2MjAyMENBMS5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisGAQQB1nkC

BAIEgfYEgfMA8QB3ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAAB

eIIRMIkAAAQDAEgwRgIhAP9KtIZoEqbyip9XRMxQLM7JNr/o73VqRGK8WNXYjGU7

AiEA7f5B+3WL7jejRlNGkHruChoUQWNynK4rbYensjQZl2UAdgAiRUUHWVUkVpY/

oS/x922G4CMmY63AS39dxoNcbuIPAgAAAXiCETDzAAAEAwBHMEUCIA9O3+r/g97t

ltglyYbf4WJ9WIW4J1NVdheQUT/3rhWNAiEA/ESoVULPE8rvl+rPqWh+9Z8qo1KA

QsQJvjH5OiVwtRUwDQYJKoZIhvcNAQELBQADggEBAEVBj3lQ4Dh1tq9AlAyF4OH8

YYASIy1s4Y9DIXbEq2H2+lkhOOl/e3vM4VU4qqWSZ4yUMNachqPXOHdtdtXMqHkG

b+10C7TET/RuWZU8vtjp19fV2yv38XymaYGximeVbjU198whthU4NP6vIkIjosdl

SdPtF4RSZl6tdOANkNEAR+lh/UXPsMSSnsNioHChtpFsYcVk/PWdADMAOjiqkpRb

piacTvnkc7M+AOhfZ/Th3+bTj7kZ1FuItccYUKWL6dtq2+ugrksplzQHjFQp3hAN

G7BkH8nt/elEdmYIHnZMGs2KPISpzS7t+SwL+m9uZmHPCq4iDjxqLCtPNMccjTg=

-----END CERTIFICATE-----

[root@sekaissecdetection certificate]# openssl x509 -inform PEM -in sekaissecdetection.cer -out sekaissecdetection.crt

unable to load certificate

140149988575040:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

[root@sekaissecdetection certificate]#

Please could you help me.

BR

/Prachi

Prachi Katakwar

unread,

Mar 31, 2021, 5:48:21 AM3/31/21

to Pedro de Castro, Wazuh mailing list, miguel....@wazuh.com, Juan Carlos

Hi Team,

I am waiting for the answer, please suggest.

Even if I directly rename .CER to .CRT , in Kibana.yml file , our Kibana stops working

Is it also necessary to give root-ca.pem in below line?

I received root digital certificate from certificate portal while generating the security certificate for Kibana.yml file.. Is it the same as root-ca.pem?

elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/root-ca.pem"]
elasticsearch.ssl.verificationMode: full

BR

/Prachi

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/DBAPR07MB69206E95693EDDAB58D3AE88967D9%40DBAPR07MB6920.eurprd07.prod.outlook.com.

Pedro de Castro

unread,

Mar 31, 2021, 9:19:41 AM3/31/21

to Wazuh mailing list

Hi Prachi,

I didn't know you were using a DNS to access the Wazuh Console, in your case, ericsson.net domain, as you indicated, you need to request a valid certificate from the company.

Make sure they provide a valid server certificate because sometimes they provide client certificates that are not valid for our use case.

I think the root-ca.pem is needed as well, and make sure that your browser has the Root CA imported (I don't know if the root certificate the company is using to generate the Kibana certificate is validated by a Trusted Authorization or not).

I think I am missing some internal details about how your browser is configured and if the certs used by your company should create a trusted certificate for the default browser or not, I think this is something you need to figure out internally.

Regarding the error you have when using OpenSSL, I think .cer and .crt are equivalent for the majority of the cases and you can rename the extension, the only difference could be the encoding format (PEM/DER) but yours is on PEM.

I've run some test and I was able to run the command you pasted before to output the .crt:

C:\Users\snaow\Desktop

λ openssl.exe x509 -inform PEM -in sekaissecdetection.cer -out sekaissecdetection.crt

No errors. The .crt file is identical to the .cer file.

Do you work at Ericsson? Cool :P

I hope it helps.

Prachi Katakwar

unread,

Apr 1, 2021, 8:22:46 AM4/1/21

to Pedro de Castro, Wazuh mailing list, miguel....@wazuh.com, Juan Carlos

Hi Pedro and Team,

How are you today...Wish a very Happy Easter😊

Today , since morning I have been continuously working with my SSL certificate team and they have helped a lot in conversion to .cer /.pem and root-ca.pem.

But unfortunately , while browsing the URL , get the below error:

Secondly , when I do systemctl status kibana, get the following error:

[root@sekaissecdetection kibana]# systemctl status kibana.service

● kibana.service - Kibana

Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: disabled)

Active: active (running) since Thu 2021-04-01 13:37:45 CEST; 32min ago

Main PID: 11885 (node)

Tasks: 11 (limit: 26213)

Memory: 249.9M

CGroup: /system.slice/kibana.service

└─11885 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist

Apr 01 13:37:53 sekaissecdetection.hubseka.ericsson.net kibana[11885]: {"type":"log","@timestamp":"2021-04-01T11:37:53Z","tags":["info","plugins","watcher"],"pid":11885,"message":"Your basic license does not support watcher. Please upgr>

Apr 01 13:37:53 sekaissecdetection.hubseka.ericsson.net kibana[11885]: {"type":"log","@timestamp":"2021-04-01T11:37:53Z","tags":["info","plugins","monitoring","monitoring","kibana-monitoring"],"pid":11885,"message":"Starting monitoring >

Apr 01 13:37:54 sekaissecdetection.hubseka.ericsson.net kibana[11885]: {"type":"log","@timestamp":"2021-04-01T11:37:54Z","tags":["error","elasticsearch","data"],"pid":11885,"message":"[version_conflict_engine_exception]: [task:Lens-lens>

Apr 01 13:37:54 sekaissecdetection.hubseka.ericsson.net kibana[11885]: {"type":"log","@timestamp":"2021-04-01T11:37:54Z","tags":["error","elasticsearch","data"],"pid":11885,"message":"[version_conflict_engine_exception]: [task:Actions-a>

Apr 01 13:37:54 sekaissecdetection.hubseka.ericsson.net kibana[11885]: {"type":"log","@timestamp":"2021-04-01T11:37:54Z","tags":["error","elasticsearch","data"],"pid":11885,"message":"[version_conflict_engine_exception]: [task:endpoint:>

Apr 01 13:37:54 sekaissecdetection.hubseka.ericsson.net kibana[11885]: {"type":"log","@timestamp":"2021-04-01T11:37:54Z","tags":["error","elasticsearch","data"],"pid":11885,"message":"[version_conflict_engine_exception]: [task:Alerting->

Apr 01 13:37:54 sekaissecdetection.hubseka.ericsson.net kibana[11885]: {"type":"log","@timestamp":"2021-04-01T11:37:54Z","tags":["error","elasticsearch","data"],"pid":11885,"message":"[version_conflict_engine_exception]: [task:apm-telem>

Apr 01 13:37:54 sekaissecdetection.hubseka.ericsson.net kibana[11885]: {"type":"log","@timestamp":"2021-04-01T11:37:54Z","tags":["listening","info"],"pid":11885,"message":"Server running at https://10.64.97.71:5601"}

Apr 01 13:37:54 sekaissecdetection.hubseka.ericsson.net kibana[11885]: {"type":"log","@timestamp":"2021-04-01T11:37:54Z","tags":["info","http","server","Kibana"],"pid":11885,"message":"http server running at https://10.64.97.71:5601"}

Apr 01 13:37:55 sekaissecdetection.hubseka.ericsson.net kibana[11885]: {"type":"log","@timestamp":"2021-04-01T11:37:55Z","tags":["warning","plugins","reporting"],"pid":11885,"message":"Enabling the Chromium sandbox provides an additiona>

lines 1-19/19 (END)

Also , have attached the kibana.yml and elasticsearch.yml file for reference .

Lastly, recently around 2 weeks back , have updated the Wazuh version from 3.12 to 4.1 in our CentOS 8 Linux system.

Components	Previous Version	Upgraded Version
Wazuh	3.12	4.1
Elasticsearch	7.6	7.10.2
Filebeat	7.6	7.10.2
Kibana	7.6	7.10.2

Yes very happy and blessed to be in Ericsson😊

I am bit more curious on your guidance as of now, certificate extensions are all correct and then why its still not running, also they are all server certificate validated by a trusted authorization.

Please guide on the same.

BR

/Prachi

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7f724274-8f6f-415a-b74b-c45936ebdce9n%40googlegroups.com.

kibana.yml

elasticsearch.yml

prachi katakwar

unread,

Apr 3, 2021, 3:53:37 PM4/3/21

to Prachi Katakwar, Juan Carlos, Pedro de Castro, Wazuh mailing list, miguel....@wazuh.com

Hi Team,

Waiting for your reply...

Br

/Prachi

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/DBAPR07MB6920C9D1912978D1DB9BDE4B967B9%40DBAPR07MB6920.eurprd07.prod.outlook.com.

Prachi Katakwar

unread,

Apr 5, 2021, 3:58:38 AM4/5/21

to Pedro de Castro, Wazuh mailing list, miguel....@wazuh.com, Juan Carlos

Hi Pedro and Team,

Any pointers?

BR

/Prachi

Pedro de Castro

unread,

Apr 5, 2021, 5:12:36 AM4/5/21

to Wazuh mailing list

Hi Prachi,

I've sent you an email so we can have an online meeting, I think I can help better there.
We will post here any progress/solutions we find.

Thanks!

Prachi Katakwar

unread,

Apr 5, 2021, 11:26:33 AM4/5/21

to Pedro de Castro, Wazuh mailing list

Hi Pedro,

Thank you so much for the time and efforts, I really appreciate your technical skills, communication skills, the way you interpret the concept and explain to the users like us is incredible.

Thanks a ton to you Pedro. You resolved the issue so smoothly.

I feel every company needs such dedicated employees like you, Wazuh is the lucky one to have you😊

Br

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c74a448a-8063-4ce2-b9e4-887db4d8512cn%40googlegroups.com.

Pedro de Castro

unread,

Apr 6, 2021, 9:52:24 AM4/6/21

to Wazuh mailing list

Thanks Prachi, happy to help ^^ !

nsi...@gmail.com

unread,

Apr 6, 2021, 10:30:14 AM4/6/21

to Wazuh mailing list

Great to here that everuthing is solved now.

Maybe you can share with us what was done to solve the problem, so everyone will be able to do it on his side.

Thank you !

Pedro de Castro

unread,

Apr 8, 2021, 7:32:41 AM4/8/21

to Wazuh mailing list

Hi Nsirot,

We resolve a bunch of other minors details, but mostly the major problem was the Nginx certificates path was wrong and the Nginx configuration regarding proxy_pass was wrong as well.

Regarding the certificates path, Kibana was loading the proper ones, but, Nginx has its own and they are presenter to the browser (since for this architecture conf, Nginx is listening to 443). So you need to make sure that at least Nginx SSL certificates are the ones you want to present to the end-user (browser).

About the proxy_pass configuration, Kibana in later Wazuh versions has HTTPS by default, so you need to update the proxy_pass from HTTP to HTTPS.

I hope it helps for others, best regards,

Pedro.

Jeff Lee

unread,

Mar 1, 2022, 6:40:56 PM3/1/22

to Wazuh mailing list

Hope this reaches to you, Pedro.

I am about a year behind, and facing the same issue as Prachi did.

I installed Wazuh via all-in-one unattended (version 4.2) on AWS EC2 instance.

At the moment, I am able to access to the login page with the elastic IP address.

However, the connection is not secure since the self signed certification is in use.

I would really appreciate your advice,

Thank you very much and hope you guys are still in this everlasting covid,

Jeff

Reply all

Reply to author

Forward