Connecting to Elasticsearch from GUI using API and http security

I am currently running ES 7.11.1 and have set up basic security using a self created ca, certificates for each ES node, and ssl.http for External API access. All nodes and Kibana connect and work without an issue.

However, I am unable to get my search GUI, which connects to the API on the back end, to connect to the ES node I set up for the connection. I get a net::ERR_CERT_AUTHORITY_INVALID error when it attempts to connect to the ES node.

The GUI has a non self-signed certificate and I have added the root ca for the GUI cert to the elastic ssl.transport.keystore/truststore (same file) and I have also added the root ca to the http.p12 file.

Xpack config from Elasticsearch.yml file:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: full
xpack.security.transport.ssl.keystore.path: <path to node cert>
xpack.security.transport.ssl.truststore.path: <path to node cert>
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12

Any suggestions on what I might try next?

Thanks!

Are the Kibana HTTPS and Elasticsearch HTTPS certs signed by different CA certificates?

For this error, I think Kibana might not be trusting the Elasticsearch HTTPS cert chain, so append the Elasticsearch CA cert to the Kibana trusted CA certs list setting.

Another option is use a single CA to sign all of your HTTPS certs, so they all trust each other, and external access to both Kibana and Elasticsearch only need to import that common CA cert.

Thanks for the reply,

The Kibana https and Elasticsearch https file are the same and are working.

The issue is with a search GUI that is separate from Kibana that is using a certificate from a outside CA.

The HTTPS p12 file is a self-signed certificate created using the Elasticsearch documentation and uses an Elasticsearch created CA.

I have tried importing the root CA of the GUI certificate into the HTTPS cert and the transport truststore.

What does Elasticsearch use to authorize access for HTTPS? Elasticsearch.keystore? The file in the xpack.security.http.ssl.keystore.path? A different file?

Thank you again.