ELK stack over SSL? - ssl

I have successfully installed Elasticsearch, Logstash, Kibana and Nginx on an ubuntu 14 server, everything is working perfectly but i want Logstash and Kibana to use SSL encryption, i have bought a commercial SSL Certificate, and i got 3 files :
Domain.crt
Domain.key
Domain.ca
I have tried to upload the files to the /etc/pki/tls folder and point to them from kibana.yml but it didn't work.
How can i use these files to create a secure ssl on the server ?

Related

How To Get SSL Working with Elastic Beanstalk, Route53 and Cloudflare

I am struggling to get SSL to work on an elastic beanstalk environment with the following configuration:
I have the domain hosted with GoDaddy, which I have routing through cloudflare, which then routes to Route53 with an A record pointing to my subdomain api.myapp.com (which points to my EB environment).
I am using Cloudflare's full E2E encryption, and am using the SSL certificate provided by cloudflare.
In my EB environment, I am using a Classic Load Balancer and have the following configuration (note: my application uses websockets hence the TCP port):
I've added the SSL certificate to the HTTPS configuration but when I navigate to api.myapp.com I am still getting the "your connection is not secure" in the browser.
Does anyone have any suggestions on how to resolve the issue?
The free ssl from zerossl.com works. After the validation and others stuffs at the end you will get three files.
Using AWS Console
Download the zip files containing certificate, chain and private. Goto AWS certificate manager -> import certificate -> add all the details -> review and import the certificate.
Using AWS CLI, which will output the certificate identifier
aws iam upload-server-certificate --server-certificate-name ish --certificate-body file://certificate.crt --certificate-chain file://ca_bundle.crt --private-key file://private.key
Goto AWS Console load balancer and select 443 HTTPs the recent certificate will be available which can be identified by an identifier provided on both the above cases. Apply changes and restart the env. The new certificate will be available.
Turns out that AWS doesn't allow the use of SSL certificates purchased from cloudflare anymore, so I solved it by provisioning one with CA on AWS.

Permanently replacing API server certificates

I have microK8S cluster, and expose the API server at my domain.
The server.crt and server.key in /var/snap/microk8s/1079/certs need to be replaced with the ones that include my domain.
Otherwise, as expected, i get the error:
Unable to connect to the server: x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster, kubernetes.default.svc.cluster.local, not mydonaim.com
With the help of cert-manager I have produced certificates and replaced them, my system works well.
Problem: every time server is restarted, server.crt and server.key are generated again in
/var/snap/microk8s/1079/certs. My custom certs are deleted, making API server unreachable remotely.
How can I stop the system from doing that all the time?
Workaround?
Should I place my certificates elsewhere and edit config files like /var/snap/microk8s/1079/args/kube-controller-manager with the path to those certificates? Are those config files auto-replaced as well?
Cluster information:
Kubernetes version: 1.16.3
Cloud being used: Bare metal, single-node
cluster Installation method: Ubuntu Server with Snaps
Host OS: Ubuntu 18.04.3 LTS
It looks like there is an existing issue that describes copying and modifying the /var/snap/microk8s/current/certs/csr.conf.template to include any extra IP or DNS entries for the generated certificates
Please be aware of the proposed updates in https://discuss.kubernetes.io/t/services-and-ports/11263/6. The following command was required to run in my env:
sudo microk8s refresh-certs

Add Godaddy SSL to AWS EC2 instance

I have Godaddy Domain Pointed to AWS EC2 instance and also I have Purchased SSL from GoDaddy. I need to enable HTTPS for my side now. My I have Ubuntu instance with Apache installed.
Thanks
You need to generate csr file first on ec2, after validation, download the certificates. Afterwards enable ssl on apache2 in the config file. You can follow this tutorial on digital ocean for detailed explantaion
Please generate your CSR first, you can ask support team to generate it for you
Enroll your CSR on Godaddy SSL portal
Then, you can install your .cer on the server.
If you are not too sure, you can ask help from support team

ERR_SSL_PROTOCOL_ERROR After Installing SSL

I am on a very newby level when it comes to AWS and SSL.
I got an SSL from GoDaddy. After that I generated the .csr file on AWS and I got an elastic IP. I created a subdomain on godaddy sub.mydomain.com that points to that IP.
I installed the certs following the instructions a found online, but now I get an error. I've tried installing apache2 on the EC2 and rebooting the instance but no luck yet.
Is there a way to remove the SSL cert or Fix the issue? When I got the SSL from GoDaddy, the zip had 2 files and ran the following command to install them:
sudo java -jar lib/ace.jar import_cert gd_bundle-g2-g1.crt gdroot-g2.crt sfroot-g2.crt 54581acbeba8a74e.crt
System said the certs were installed but now as I get that error, on the EC2 we have a unifi controller and we want to get that SSLrunning to accept payments for the hotspot.
I had the same issues my controller is hosted on an EC2 instance.
Check your system.properties which sits in /var/lib/unifi/ open the file with vim or your text editor of choice.
Have a look at your HTTPS options, the important ones are the ciphers and protocols.
The Protocols you need are TLSv1 and potentially SSLv2Hello there should be no other SSL protocols in there.
The Ciphers you ideally want are TLS, so for example TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA
If you are having issues throw them all in, CAUTION! only use this in a demo /test environment.
unifi.https.ciphers=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA
Remember once you have edited the system.properties you need to restart the controller.
sudo service unifi restart
Lots of help on the Unifi page
UniFi - SSL Certificate Error
UniFi - Explaining the config.properties File
UniFi - system.properties File Explanation

Using SSL with docker containers

I am having a trouble related with SSL certificates.
I have a server running service in a docker container, I installed Caddy and get the SSL certificate for the site. Now, from other server I want to consume the service with HTTPS, but I get:
x509: certificate signed by unknown authority exit status 1
And, it seems to be a common issue when using docker + SSL. What should I do? thanks
Install the ca-certificates package.