Hello. I have a cluster with 3 Elasticsearch master servers (7.17.6) on Windows 10. Here is my elasticsearch.yml for the first server (commented lines deleted, names and IPs edited):
cluster.name: MyCluster
node.name: MyMaster1
path.data: "D:\\Elastic\\Elasticsearch\\data"
path.logs: "D:\\Elastic\\Elasticsearch\\logs"
network.host: 10.0.0.1
discovery.seed_hosts:
- 10.0.0.2:9300
- 10.0.0.3:9300
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: none
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12
Kibana (7.17.6) and Metricbeat (7.17.6) are also installed on MyMaster1. Here is metricbeat.yml:
metricbeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
index.codec: best_compression
output.elasticsearch:
hosts: ["https://10.0.0.1:9200", "https://10.0.0.2:9200", "https://10.0.0.3:9200"]
protocol: "https"
username: "remote_monitoring_user"
password: "MyPassword"
ssl:
enabled: true
certificate_authorities: ["C:\\Program Files\\Metricbeat\\ca.crt"]
verification_mode: "none"
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
Testing config (host info removed):
PS C:\Program Files\Metricbeat> .\metricbeat.exe test config -e
2022-10-20T10:45:44.383-0300 INFO instance/beat.go:685 Home path: [C:\Program Files\Metricbeat] Config path: [C:\Program Files\Metricbeat] Data path: [C:\Program Files\Metricbeat\data] Logs path: [C:\Program Files\Metricbeat\logs] Hostfs Path: [/]
2022-10-20T10:45:44.395-0300 INFO instance/beat.go:693 Beat ID: 6fe8af65-f12c-455e-8396-061e2f859d4e
2022-10-20T10:45:47.418-0300 WARN [add_cloud_metadata] add_cloud_metadata/provider_aws_ec2.go:79 read token request for getting IMDSv2 token returns empty: Put "http://169.254.169.254/latest/api/token": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.
2022-10-20T10:45:47.419-0300 INFO [beat] instance/beat.go:1039 Beat info {"system_info": {"beat": {"path": {"config": "C:\\Program Files\\Metricbeat", "data": "C:\\Program Files\\Metricbeat\\data", "home": "C:\\Program Files\\Metricbeat", "logs": "C:\\Program Files\\Metricbeat\\logs"}, "type": "metricbeat", "uuid": "6fe8af65-f12c-455e-8396-061e2f859d4e"}}}
2022-10-20T10:45:47.419-0300 INFO [beat] instance/beat.go:1048 Build info {"system_info": {"build": {"commit": "121b2ab96f118e6999f0a4be8e98827a809337db", "libbeat": "7.17.6", "time": "2022-08-23T12:50:11.000Z", "version": "7.17.6"}}}
2022-10-20T10:45:47.419-0300 INFO [beat] instance/beat.go:1051 Go runtime info {"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":8,"version":"go1.18.2"}}}
2022-10-20T10:45:47.430-0300 INFO [beat] instance/beat.go:1055 Host info [...]
2022-10-20T10:45:47.430-0300 INFO [beat] instance/beat.go:1084 Process info {"system_info": {"process": {"cwd": "C:\\Program Files\\Metricbeat", "exe": "C:\\Program Files\\Metricbeat\\metricbeat.exe", "name": "metricbeat.exe", "pid": 9828, "ppid": 9928, "start_time": "2022-10-20T10:45:35.387-0300"}}}
2022-10-20T10:45:47.430-0300 INFO instance/beat.go:328 Setup Beat: metricbeat; Version: 7.17.6
2022-10-20T10:45:47.430-0300 INFO [index-management] idxmgmt/std.go:184 Set output.elasticsearch.index to 'metricbeat-7.17.6' as ILM is enabled.
2022-10-20T10:45:47.431-0300 INFO [esclientleg] eslegclient/connection.go:105 elasticsearch url: https://10.0.0.1:9200
2022-10-20T10:45:47.431-0300 INFO [publisher] pipeline/module.go:113 Beat name: MYMASTER1NAME
Config OK
Then (lines with same info as above removed):
PS C:\Program Files\Metricbeat> .\metricbeat.exe setup -e
[...]
2022-10-20T11:14:46.933-0300 INFO [esclientleg] eslegclient/connection.go:105 elasticsearch url: https://10.0.0.1:9200
2022-10-20T11:14:46.974-0300 ERROR [esclientleg] transport/logging.go:37 Error dialing x509: certificate signed by unknown authority {"network": "tcp", "address": "10.0.0.1:9200"}
2022-10-20T11:14:46.974-0300 ERROR [esclientleg] eslegclient/connection.go:232 error connecting to Elasticsearch at https://10.0.0.1:9200: Get "https://10.0.0.1:9200": x509: certificate signed by unknown authority
2022-10-20T11:14:46.976-0300 ERROR instance/beat.go:1014 Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://10.0.0.1:9200: Get "https://10.0.0.1:9200": x509: certificate signed by unknown authority]
Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://10.0.0.1:9200: Get "https://10.0.0.1:9200": x509: certificate signed by unknown authority]
I originally created the certificate files (CA, Elasticsearch nodes and Kibana) with a command like:
bin\elasticsearch-certutil cert --keep-ca-key --pem --in .\instances.yml --out .\CERT\certs.zip
The instances.yml file was like:
instances:
- name: 'MyMaster1'
dns: [ '10.0.0.1' ]
- name: "MyMaster2"
dns: [ '10.0.0.2' ]
- name: 'MyMaster3'
dns: [ '10.0.0.3' ]
- name: 'MyKibana'
dns: [ '10.0.0.1' ]
Later I switched to elastic-certificates.p12 files for each Elasticsearch server. I don't remember now which tool or command I used to create the .p12 files from the pre-existing node certificate files. I have just opened the CA certificate within the .p12 file and the stand-alone .crt PEM file originally created by certutil to compare them, and they have different properties. Is this expected or not? May this be the cause of the "certificate signed by unknown authority" error?
