I am getting this error when accessing kibana though my elasticsearch is working fine.
I have configured my kibana.yml this way:
server.ssl.cert: D:\Elasticsearch 5.2.2\elasticsearch-5.2.2\config\x-pack\instancename.crt (same with elastic)
server.ssl.key: D:\Elasticsearch 5.2.2\elasticsearch-5.2.2\config\x-pack\instancename.key (same with elastic)
elasticsearch.ssl.ca: D:\Elasticsearch 5.2.2\kibana-5.2.2-windows-x86\plugins\x-pack\ca.pem (same with elastic)
This behavior is correct actually. It looks like your Kibana instance is using https, but the certificate hasn't been signed by a Certificate Authority your browser trusts so it marks the page as untrusted. You have three options basically.
Live with this warning
Import the CA certificate generated by certgen into your browser
I tested this on my end to ensure things worked as expected. I did run into an issue by double clicking the CA certificate to install it rather than using the import feature from the "Manage Certificates" option in Chrome. The former wouldn't work, the latter did.
Also make sure the certificate is in the "Trusted Root Certification Authorities" tab when you view the Certificates manager.
You should also verify the Kibana certificate has the correct hostname.
Is the server.key and server.crt the same with the node01.key and node01.crt generated in Certgen? Or we need to generate another .key and .crt which Kibana will connect to? Also, what is the subjectAltName the document is referring to? As per checking, if I create another certificate for Kibana they should have the same IP and FQDN since Elasticsearch and Kibana are configured on the same server.
If you used certgen the subjectAltName should be oK (its' just where the DNS and IP address information is held). For example:
$ openssl x509 -in kibana.crt -text | grep -A 1 Alternative
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1
You should very the DNS and IP Address in the certificate are correct using the above command.
As for sharing the same certificate between various services. It's easier from a management perspective. There are some very esoteric reasons not to do this, but in reality the risk is minimal. If you want to share the certificate you probably won't have any problems.
Unless you generated the certificate for "localhost" then that's likely to be the cause of your problem.
The hostname you enter into your browser has to match the hostname that you used when generating the certificate.
If that doesn't solve the problem, then you will need to investigate why your browser is rejecting the certificate. In chrome, you need to use the developer tools and look at the security tab. That will tell you what Chrome thinks is wrong with your certificate - otherwise we're just guessing.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
