Can't setup Elasticsearch cluster monitoring with Metricbeat

Hello. I have a cluster with 3 Elasticsearch master servers (7.17.6) on Windows 10. Here is my elasticsearch.yml for the first server (commented lines deleted, names and IPs edited):

cluster.name: MyCluster
node.name: MyMaster1
path.data: "D:\\Elastic\\Elasticsearch\\data"
path.logs: "D:\\Elastic\\Elasticsearch\\logs"
network.host: 10.0.0.1
discovery.seed_hosts:
  - 10.0.0.2:9300
  - 10.0.0.3:9300
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: none
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12

Kibana (7.17.6) and Metricbeat (7.17.6) are also installed on MyMaster1. Here is metricbeat.yml:

metricbeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 1
  index.codec: best_compression
output.elasticsearch:
  hosts: ["https://10.0.0.1:9200", "https://10.0.0.2:9200", "https://10.0.0.3:9200"]

  protocol: "https"

  username: "remote_monitoring_user"
  password: "MyPassword"
  ssl:
    enabled: true
    certificate_authorities: ["C:\\Program Files\\Metricbeat\\ca.crt"]
    verification_mode: "none"
processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

Testing config (host info removed):

PS C:\Program Files\Metricbeat> .\metricbeat.exe test config -e
2022-10-20T10:45:44.383-0300	INFO	instance/beat.go:685	Home path: [C:\Program Files\Metricbeat] Config path: [C:\Program Files\Metricbeat] Data path: [C:\Program Files\Metricbeat\data] Logs path: [C:\Program Files\Metricbeat\logs] Hostfs Path: [/]
2022-10-20T10:45:44.395-0300	INFO	instance/beat.go:693	Beat ID: 6fe8af65-f12c-455e-8396-061e2f859d4e
2022-10-20T10:45:47.418-0300	WARN	[add_cloud_metadata]	add_cloud_metadata/provider_aws_ec2.go:79	read token request for getting IMDSv2 token returns empty: Put "http://169.254.169.254/latest/api/token": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.
2022-10-20T10:45:47.419-0300	INFO	[beat]	instance/beat.go:1039	Beat info	{"system_info": {"beat": {"path": {"config": "C:\\Program Files\\Metricbeat", "data": "C:\\Program Files\\Metricbeat\\data", "home": "C:\\Program Files\\Metricbeat", "logs": "C:\\Program Files\\Metricbeat\\logs"}, "type": "metricbeat", "uuid": "6fe8af65-f12c-455e-8396-061e2f859d4e"}}}
2022-10-20T10:45:47.419-0300	INFO	[beat]	instance/beat.go:1048	Build info	{"system_info": {"build": {"commit": "121b2ab96f118e6999f0a4be8e98827a809337db", "libbeat": "7.17.6", "time": "2022-08-23T12:50:11.000Z", "version": "7.17.6"}}}
2022-10-20T10:45:47.419-0300	INFO	[beat]	instance/beat.go:1051	Go runtime info	{"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":8,"version":"go1.18.2"}}}
2022-10-20T10:45:47.430-0300	INFO	[beat]	instance/beat.go:1055	Host info	[...]
2022-10-20T10:45:47.430-0300	INFO	[beat]	instance/beat.go:1084	Process info	{"system_info": {"process": {"cwd": "C:\\Program Files\\Metricbeat", "exe": "C:\\Program Files\\Metricbeat\\metricbeat.exe", "name": "metricbeat.exe", "pid": 9828, "ppid": 9928, "start_time": "2022-10-20T10:45:35.387-0300"}}}
2022-10-20T10:45:47.430-0300	INFO	instance/beat.go:328	Setup Beat: metricbeat; Version: 7.17.6
2022-10-20T10:45:47.430-0300	INFO	[index-management]	idxmgmt/std.go:184	Set output.elasticsearch.index to 'metricbeat-7.17.6' as ILM is enabled.
2022-10-20T10:45:47.431-0300	INFO	[esclientleg]	eslegclient/connection.go:105	elasticsearch url: https://10.0.0.1:9200
2022-10-20T10:45:47.431-0300	INFO	[publisher]	pipeline/module.go:113	Beat name: MYMASTER1NAME
Config OK

Then (lines with same info as above removed):

PS C:\Program Files\Metricbeat> .\metricbeat.exe setup -e
[...]
2022-10-20T11:14:46.933-0300    INFO    [esclientleg]   eslegclient/connection.go:105   elasticsearch url: https://10.0.0.1:9200
2022-10-20T11:14:46.974-0300    ERROR   [esclientleg]   transport/logging.go:37 Error dialing x509: certificate signed by unknown authority     {"network": "tcp", "address": "10.0.0.1:9200"}
2022-10-20T11:14:46.974-0300    ERROR   [esclientleg]   eslegclient/connection.go:232   error connecting to Elasticsearch at https://10.0.0.1:9200: Get "https://10.0.0.1:9200": x509: certificate signed by unknown authority
2022-10-20T11:14:46.976-0300    ERROR   instance/beat.go:1014   Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://10.0.0.1:9200: Get "https://10.0.0.1:9200": x509: certificate signed by unknown authority]
Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://10.0.0.1:9200: Get "https://10.0.0.1:9200": x509: certificate signed by unknown authority]

I originally created the certificate files (CA, Elasticsearch nodes and Kibana) with a command like:

bin\elasticsearch-certutil cert --keep-ca-key --pem --in .\instances.yml --out .\CERT\certs.zip

The instances.yml file was like:

instances:
  - name: 'MyMaster1'
    dns: [ '10.0.0.1' ]
  - name: "MyMaster2"
    dns: [ '10.0.0.2' ]
  - name: 'MyMaster3'
    dns: [ '10.0.0.3' ]
  - name: 'MyKibana'
    dns: [ '10.0.0.1' ]

Later I switched to elastic-certificates.p12 files for each Elasticsearch server. I don't remember now which tool or command I used to create the .p12 files from the pre-existing node certificate files. I have just opened the CA certificate within the .p12 file and the stand-alone .crt PEM file originally created by certutil to compare them, and they have different properties. Is this expected or not? May this be the cause of the "certificate signed by unknown authority" error?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.