Let's Encrypt SSL certs installed and available, but cannot verify with .yml file

[Bill Justesen]

We've got the SSL certs up and running and am not seeing any errors in the logs. But to have them work, we had to modify the opensearch.ssl.verificationMode to none in the /etc/wazuh-dashboard/opensearch_dashboards.yml file.

If we set it to certificate or full, then the dashboard never loads and there are errors in the logs.

You can see that the certs are valid as shown from Google Chrome when we load the wazuh dashboard in a browser.

Is this a bug of some sort?

[Luis González Romero]

Hello @bjustesen, hope you’re doing great.

First of all, did you change the opensearch.ssl.certificateAuthorities field or is it default? If you changed it you could try to revert it as Wazuh had it by default(root-ca.cert) and set opensearch.ssl.verificationMode as certificate. Also, could you share the logs you talk about and the /etc/wazuh-dashboard/opensearch_dashboards.yml configuration so I could research about this

Will be waiting for any updates,
Luis.

​

[Bill Justesen]

Luis, thanks for responding. I heartily appreciate it!

The opensearch.ssl.certificateAuthorities field is the default root-ca.cert. For full transparency, I used certbot-dns-cloudflare to generate the certificates from Let's Encrypt and I had to set the wazuh-indexer-service start timeout to 3 minutes. Otherwise it timed out on reboot.

As you requested, the full /etc/wazuh-dashboard/opensearch_dashboards.yml file is shown as it is currently running on the server. Bold text indicates changes I made to the default files; all other defaults remain unchanged if they aren't listed.

/etc/wazuh-dashboard/opensearch_dashboards.yml
server.host: 0.0.0.0
opensearch.hosts: https://logs[.]domain[.]com:9200
server.port: 443
opensearch.ssl.verificationMode: none
# opensearch.ssl.verificationMode: certificate
# opensearch.username: kibanaserver
# opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/wazuh-dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuh
opensearch_security.cookie.secure: true

/etc/filebeat/filebeat.yml
output.elasticsearch.hosts:
         - logs[.]domain[.]com:9200
         # - 127.0.0.1:9200
filebeat.modules
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: true
      # enabled: false

/etc/wazuh-indexer/opensearch.yml
network.host: "logs[.]domain[.]com"
# network.host: "127.0.0.1"
plugins.security.ssl.http.enabled_protocols: ["TLSv1.2"," TLSv1.3"]
#  - "TLSv1.2"
plugins.security.authcz.admin_dn:
- "CN=logs[.]domain[.]com"
# - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.nodes_dn:
- "CN=logs[.]domain[.]com"
# - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"

All logs are attached. They are sorted by when the SSL verification was either 'none' or 'certificate'. I know they aren't .bc files, I just like the formatting markup in Notepad++.

Since this is a new Wazuh instance, if I have to start from scratch it isn't a big deal. I just want to get it so that everything is working. I hadn't realized that filebeat wasn't starting with either configuration.

I hope this helps.

P.S. Copy and paste didn't format the names of the fields correctly from your response, so I simply highlighted them. Instructions to do the `code` background would be great. Thank you.

[Bill Justesen]

@Luis, have you had any luck on determining a cause or are you able to duplicate the issue?

[lspl.secana4]

hello bill,

Can We get open-search root-certs in /etc like  example "/etc/wazuh-dashboard/certs/root-ca.pem"