Using CA signed certificates in Wazuh in clustered environment

478 views
Skip to first unread message

Ashok P

unread,
Aug 23, 2023, 11:30:16 PM8/23/23
to Wazuh | Mailing List
Hi Team,

I just want to know if we can use CA signed certificate in clustered environment in all nodes where there are Wazuh manager node and multiple workers nodes are there and there are nultiple indexer nodes are there and Dashboard is installed on different node.

Thanks & Regards
Ashok

Harshal Paliwal

unread,
Aug 23, 2023, 11:52:06 PM8/23/23
to Wazuh | Mailing List
Hi Ashok, Thanks for using Wazuh!

You will need to create Certificates Signing requests using Openssl and sign them with your root CA certificate to get certificates in PEM format.

Once the installation process is complete, please follow the steps below to replace the certificates with your self-signed certificates:

Make sure to back up the existing certificates on each node before starting:



mv /etc/wazuh-indexer/certs /etc/wazuh-indexer/certs.bak & mkdir /etc/wazuh-indexer/certs
mv /etc/wazuh-dashboard/certs /etc/wazuh-dashboard/certs.bak & mkdir /etc/wazuh-dashboard/certs
mv /etc/filebeat/certs /etc/filebeat/certs.bak & mkdir /etc/filebeat/certs
 

On your manager node, create a directory where you will store your CSR and key files:
mkdir /root/csr2023 && cd /root/csr2023


Create the different CSR and key files:
openssl req -newkey rsa:2048 -subj "/C=US/L=California/O=Wazuh/OU=Wazuh/CN=<wazuh-indexer-node-ip-address>/" -nodes -sha256 -keyout indexer-key.pem -out indexer.csr


openssl req -newkey rsa:2048 -subj "/C=US/L=California/O=Wazuh/OU=Wazuh/CN=<wazuh-dashboard-node-ip-address>/" -nodes -sha256 -keyout dashboard-key.pem -out dashboard.csr


openssl req -newkey rsa:2048 -subj "/C=US/L=California/O=Wazuh/OU=Wazuh/CN=<wazuh-manager-node-ip-address>/" -nodes -sha256 -keyout filebeat-key.pem -out filebeat.csr

*Replace <wazuh-indexer-node-ip-address>, <wazuh-dashboard-node-ip-address> and <wazuh-manager-node-ip-address> by the corresponding IP addresses.
*If you are using a multi node cluster environment, you will need to create CSR for every node.
*


Sign the CSRs with your CA certificate to obtain new certificates in PEM format:
openssl x509 -req -days 365 -in indexer.csr -CA path_to_your_CA_certificate -CAkey path_to_your_CA_key -out indexer.pem -set_serial 01 -sha256

openssl x509 -req -days 365 -in dashboard.csr -CA path_to_your_CA_certificate -CAkey path_to_your_CA_key -out dashboard.pem -set_serial 01 -sha256

openssl x509 -req -days 365 -in filebeat.csr -CA path_to_your_CA_certificate -CAkey path_to_your_CA_key -out filebeat.pem -set_serial 01 -sha256

*Replace path_to_your_CA_certificate and path_to_your_CA_key with the corresponding paths.


Now you have certificates in PEM format. You can use SCP to transfer certificates and keys to corresponding node:

scp indexer.pem root@indexer-node-ip-address:/etc/wazuh-indexer/certs/
scp indexer-key.pem root@indexer-node-ip-address:/etc/wazuh-indexer/certs/

scp dashboard.pem root@dashboard-node-ip-address:/etc/wazuh-dashboard/certs/
scp dashboard-key.pem root@dashboard-node-ip-address:/etc/wazuh-dashboard/certs/

scp filebeat.pem root@manager-node-ip-address:/etc/filebeat/certs/
scp filebeat-key.pem root@manager-node-ip-address:/etc/filebeat/certs/
 
Set the correct permissions to certificates on each node:

chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard:wazuh-dashboard/etc/wazuh-indexer/certs

chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs

Restart the services on each node:

systemctl restart wazuh-indexer
systemctl restart wazuh-dashboard
systemctl restart wazuh-manager
 

I hope you find this helpful. Please let me know if you face any other issue.

Ashok Prajapati

unread,
Aug 24, 2023, 1:32:21 AM8/24/23
to Harshal Paliwal, Wazuh | Mailing List
Hi,

I have updated certificates, however, I am getting a message that "Wazuh Dashboard Server is not ready yet".

wazuhapp.log file contains below lines:-

{"date":"2023-08-23T13:00:11.226Z","level":"error","location":"monitoring:getApiInfo","message":"Request failed with status code 500"}
{"data":{"dapi_errors":{"XX-XXX-XXX-XX1":{"error":"Timeout executing API request","logfile":"WAZUH_HOME/logs/api.log"}},"detail":"Timeout executing API request","error":3021,"title":"Wazuh Internal Error"},"date":"2023-08-23T13:00:11.277Z","level":"error","location":"wazuh-api:makeRequest"}
{"data":{"dapi_errors":{"XX-XXX-XXX-XX1":{"error":"Timeout executing API request","logfile":"WAZUH_HOME/logs/api.log"}},"detail":"Timeout executing API request","error":3021,"title":"Wazuh Internal Error"},"date":"2023-08-23T13:00:11.563Z","level":"error","location":"wazuh-api:makeRequest"}
{"data":{"config":{"data":"{}","method":"get","params":{},"url":"https://XX.XXX.XX.XXX:55000/cluster/XX-XXX-XXX-XX1/stats/analysisd?pretty"},"message":"Request failed with status code 500","stack":"Error: Request failed with status code 500\n    at createError (/usr/share/wazuh-dashboard/plugins/wazuh/node_modules/axios/lib/core/createError.js:16:15)\n    at settle (/usr/share/wazuh-dashboard/plugins/wazuh/node_modules/axios/lib/core/settle.js:17:12)\n    at IncomingMessage.handleStreamEnd (/usr/share/wazuh-dashboard/plugins/wazuh/node_modules/axios/lib/adapters/http.js:269:11)\n    at IncomingMessage.emit (events.js:412:35)\n    at IncomingMessage.emit (domain.js:475:12)\n    at endReadableNT (internal/streams/readable.js:1333:12)\n    at processTicksAndRejections (internal/process/task_queues.js:82:21)"},"date":"2023-08-23T13:00:17.189Z","level":"info","location":"Cron-scheduler"}
{"data":{"config":{"data":"{}","method":"get","params":{},"url":"https://XX.XXX.XX.XXX:55000/cluster/XX-XXX-XXX-XX1/stats/remoted?pretty"},"message":"Request failed with status code 500","stack":"Error: Request failed with status code 500\n    at createError (/usr/share/wazuh-dashboard/plugins/wazuh/node_modules/axios/lib/core/createError.js:16:15)\n    at settle (/usr/share/wazuh-dashboard/plugins/wazuh/node_modules/axios/lib/core/settle.js:17:12)\n    at IncomingMessage.handleStreamEnd (/usr/share/wazuh-dashboard/plugins/wazuh/node_modules/axios/lib/adapters/http.js:269:11)\n    at IncomingMessage.emit (events.js:412:35)\n    at IncomingMessage.emit (domain.js:475:12)\n    at endReadableNT (internal/streams/readable.js:1333:12)\n    at processTicksAndRejections (internal/process/task_queues.js:82:21)"},"date":"2023-08-23T13:00:17.195Z","level":"info","location":"Cron-scheduler"}
{"date":"2023-08-23T13:00:21.533Z","level":"error","location":"wazuh-api:checkStoredAPI","message":"Request failed with status code 500"}
{"date":"2023-08-23T13:00:31.245Z","level":"error","location":"wazuh-api:checkStoredAPI","message":"Request failed with status code 500"}
{"date":"2023-08-23T13:00:31.333Z","level":"error","location":"wazuh-api:checkStoredAPI","message":"Request failed with status code 500"}
{"date":"2023-08-23T13:00:37.464Z","level":"error","location":"wazuh-api:checkStoredAPI","message":"Request failed with status code 500"}
{"date":"2023-08-23T13:00:37.557Z","level":"error","location":"wazuh-api:checkStoredAPI","message":"Request failed with status code 500"}
{"date":"2023-08-23T13:00:37.621Z","level":"error","location":"wazuh-api:checkStoredAPI","message":"Request failed with status code 500"}
{"date":"2023-08-23T13:00:37.710Z","level":"error","location":"wazuh-api:checkStoredAPI","message":"Request failed with status code 500"}
{"data":{"message":"unable to verify the first certificate","stack":"ConnectionError: unable to verify the first certificate\n    at ClientRequest.onError (/usr/share/wazuh-dashboard/node_modules/@opensearch-project/opensearch/lib/Connection.js:126:16)\n    at ClientRequest.emit (events.js:400:28)\n    at ClientRequest.emit (domain.js:475:12)\n    at TLSSocket.socketErrorListener (_http_client.js:475:9)\n    at TLSSocket.emit (events.js:400:28)\n    at TLSSocket.emit (domain.js:475:12)\n    at emitErrorNT (internal/streams/destroy.js:106:8)\n    at emitErrorCloseNT (internal/streams/destroy.js:74:3)\n    at processTicksAndRejections (internal/process/task_queues.js:82:21)"},"date":"2023-08-24T04:26:01.176Z","level":"info","location":"Cron-scheduler"}
{"data":{"message":"Request timed out","stack":"TimeoutError: Request timed out\n    at ClientRequest.onTimeout (/usr/share/wazuh-dashboard/node_modules/@opensearch-project/opensearch/lib/Connection.js:120:16)\n    at ClientRequest.emit (events.js:400:28)\n    at ClientRequest.emit (domain.js:475:12)\n    at TLSSocket.emitRequestTimeout (_http_client.js:790:9)\n    at Object.onceWrapper (events.js:519:28)\n    at TLSSocket.emit (events.js:412:35)\n    at TLSSocket.emit (domain.js:475:12)\n    at TLSSocket.Socket._onTimeout (net.js:495:8)\n    at listOnTimeout (internal/timers.js:557:17)\n    at processTimers (internal/timers.js:500:7)"},"date":"2023-08-24T04:27:01.034Z","level":"info","location":"Cron-scheduler"}
{"data":{"message":"unable to verify the first certificate","stack":"ConnectionError: unable to verify the first certificate\n    at ClientRequest.onError (/usr/share/wazuh-dashboard/node_modules/@opensearch-project/opensearch/lib/Connection.js:126:16)\n    at ClientRequest.emit (events.js:400:28)\n    at ClientRequest.emit (domain.js:475:12)\n    at TLSSocket.socketErrorListener (_http_client.js:475:9)\n    at TLSSocket.emit (events.js:400:28)\n    at TLSSocket.emit (domain.js:475:12)\n    at emitErrorNT (internal/streams/destroy.js:106:8)\n    at emitErrorCloseNT (internal/streams/destroy.js:74:3)\n    at processTicksAndRejections (internal/process/task_queues.js:82:21)"},"date":"2023-08-24T04:31:01.390Z","level":"info","location":"Cron-scheduler"}
{"data":{"message":"Request timed out","stack":"TimeoutError: Request timed out\n    at ClientRequest.onTimeout (/usr/share/wazuh-dashboard/node_modules/@opensearch-project/opensearch/lib/Connection.js:120:16)\n    at ClientRequest.emit (events.js:400:28)\n    at ClientRequest.emit (domain.js:475:12)\n    at TLSSocket.emitRequestTimeout (_http_client.js:790:9)\n    at Object.onceWrapper (events.js:519:28)\n    at TLSSocket.emit (events.js:412:35)\n    at TLSSocket.emit (domain.js:475:12)\n    at TLSSocket.Socket._onTimeout (net.js:495:8)\n    at listOnTimeout (internal/timers.js:557:17)\n    at processTimers (internal/timers.js:500:7)"},"date":"2023-08-24T04:31:31.439Z","level":"info","location":"Cron-scheduler"}
{"date":"2023-08-24T04:31:33.360Z","level":"error","location":"monitoring:cronTask","message":"socket hang up"}
{"data":{"message":"unable to verify the first certificate","stack":"ConnectionError: unable to verify the first certificate\n    at ClientRequest.onError (/usr/share/wazuh-dashboard/node_modules/@opensearch-project/opensearch/lib/Connection.js:126:16)\n    at ClientRequest.emit (events.js:400:28)\n    at ClientRequest.emit (domain.js:475:12)\n    at TLSSocket.socketErrorListener (_http_client.js:475:9)\n    at TLSSocket.emit (events.js:400:28)\n    at TLSSocket.emit (domain.js:475:12)\n    at emitErrorNT (internal/streams/destroy.js:106:8)\n    at emitErrorCloseNT (internal/streams/destroy.js:74:3)\n    at processTicksAndRejections (internal/process/task_queues.js:82:21)"},"date":"2023-08-24T04:35:04.471Z","level":"info","location":"Cron-scheduler"}
{"data":{"message":"unable to verify the first certificate","stack":"ConnectionError: unable to verify the first certificate\n    at ClientRequest.onError (/usr/share/wazuh-dashboard/node_modules/@opensearch-project/opensearch/lib/Connection.js:126:16)\n    at ClientRequest.emit (events.js:400:28)\n    at ClientRequest.emit (domain.js:475:12)\n    at TLSSocket.socketErrorListener (_http_client.js:475:9)\n    at TLSSocket.emit (events.js:400:28)\n    at TLSSocket.emit (domain.js:475:12)\n    at emitErrorNT (internal/streams/destroy.js:106:8)\n    at emitErrorCloseNT (internal/streams/destroy.js:74:3)\n    at processTicksAndRejections (internal/process/task_queues.js:82:21)"},"date":"2023-08-24T04:35:04.545Z","level":"info","location":"Cron-scheduler"}

Thanks & Regards
Ashok

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0f5ec03d-ec8a-4ea4-b09e-4ca428451135n%40googlegroups.com.

Ashok Prajapati

unread,
Aug 24, 2023, 1:49:55 AM8/24/23
to Harshal Paliwal, Wazuh | Mailing List
opensearch_dashboard.yml file contains :-

server.host: XX.XXX.XX.XXX
server.port: 443
opensearch.hosts: ["https://XX.XXX.XX.XXX:9200", "https://XX.XXX.XX.XXX:9200"]
opensearch.ssl.verificationMode: certificate
#opensearch.username:
#opensearch.password:
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuh

Thanks & Regards
Ashok

Ashok Prajapati

unread,
Aug 24, 2023, 1:57:11 AM8/24/23
to Harshal Paliwal, Wazuh | Mailing List
I have set the value "none" in opensearch.ssl.verificationMode and post that login page is coming however still it is giving Internal server error after passing credentials.

Below are lines in wazuhapp.log file:-

{"date":"2023-08-24T05:50:30.205Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"}
{"date":"2023-08-24T05:50:30.206Z","level":"info","location":"initialize","message":"App revision: 02"}
{"date":"2023-08-24T05:50:30.206Z","level":"info","location":"initialize","message":"Total RAM: 15800MB"}
{"date":"2023-08-24T05:51:33.910Z","level":"error","location":"monitoring:insertDataToIndex","message":"Error inserting agent data into elasticsearch. Bulk request failed due to Response Error"}


Thanks & Regards
Ashok

Ashok Prajapati

unread,
Aug 24, 2023, 3:43:22 AM8/24/23
to Wazuh | Mailing List
Just wanted to check that the below command will also do the same work or it has to be generated separately?

bash wazuh-certs-tool.sh -A /path/to/root-ca.pem /path/to/root-ca.key

Thanks & Regards
Ashok

On Thu, Aug 24, 2023 at 9:22 AM 'Harshal Paliwal' via Wazuh | Mailing List <wa...@googlegroups.com> wrote:
--

Ashok Prajapati

unread,
Aug 24, 2023, 3:56:14 AM8/24/23
to Harshal Paliwal, Wazuh | Mailing List
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Getting below error on initializing indexer security init:-

/usr/share/wazuh-indexer/bin/indexer-security-init.sh
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to XX.XXX.XX.XXX:9200 ... done
ERR: An unexpected SSLHandshakeException occured: PKIX path validation failed: sun.security.validator.ValidatorException: TrustAnchor with subject "CN=*.XXXXXXX.com" is not a CA certificate

Any idea how to fix this.

I have generated certificates using "bash wazuh-certs-tool.sh -A /path/to/root-ca.pem /path/to/root-ca.key" and then placed them in relevant directories on respective servers.
Post that it is nowt working and throwing errors which I have highlighted in earlier mails.

Thanks & Regards
Ashok
Reply all
Reply to author
Forward
0 new messages