[ConnectionError]: unable to verify the first certificate

I'm currently trying to setup kibana together with Elasticsearch within the same docker-compose.

In order to avoid any issue with the SSL certificates, I generated a "real" (not self signed) certificate that I'm using on both services.

docker-compose.yml

The services are defined as follow:

services:
  es:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.2.2
    environment:
      - "discovery.type=single-node"
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - "xpack.security.enabled=true"
      - "xpack.security.http.ssl.certificate_authorities=[\"/usr/share/elasticsearch/config/certificates/ca.pem\"]"
      - "xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certificates/elasticsearch.pem"
      - "xpack.security.http.ssl.enabled=true"
      - "xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certificates/elasticsearch.key"
      - "xpack.security.transport.ssl.certificate_authorities=[\"/usr/share/elasticsearch/config/certificates/ca.pem\"]"
      - "xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certificates/elasticsearch.pem"
      - "xpack.security.transport.ssl.enabled=true"
      - "xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certificates/elasticsearch.key"
      - ELASTIC_PASSWORD={{ ELASTIC_PASSWORD }}
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - {{ es_path }}/data:/usr/share/elasticsearch/data:z
      - {{ es_path}}/certs:/usr/share/elasticsearch/config/certificates
    ports:
      - "9200:9200"

  kibana:
    build:
      context: {{ es_path }}/kibana
      dockerfile: kibana-dockerfile
    volumes:
      - {{ es_path }}/kibana/:/usr/share/kibana/config/
      - {{ es_path }}/certs/:/etc/kibana/certs:ro
    ports:
      - "5601:5601"

kibana dockerfile
As you can see, the kibana container is built through a dockerfile. The only thing the dockerfile does is generate a service account token and push it to the kibana.yml file before launching the entrypoint from elastic's entrypoint.

kibana.yml

# Managed by Ansible
---
elasticsearch.hosts: ["https://myserver.mydomain.com:9200"]
elasticsearch.serviceAccountToken: "*****"
logging.root.level: "debug"
server.name: "my-kibana"
server.port: 5601
server.publicBaseUrl: http://http://myserver.mydomain.com:5601
server.ssl.certificate: /etc/kibana/certs/elasticsearch.pem
server.ssl.certificateAuthorities: ["/etc/kibana/certs/ca.pem"]
server.ssl.enabled: true
server.ssl.key: /etc/kibana/certs/elasticsearch.key
xpack.encryptedSavedObjects.encryptionKey: "*****"
xpack.reporting.encryptionKey: "*****"
xpack.security.encryptionKey: "*****"

Manually testing the connection

When I try to connect manually from the kibana to Elasticsearch, I get no error:

kibana@73f42c7a2fb5:~$ curl --cacert /etc/kibana/certs/ca.pem -H "Authorization: Bearer *****" https://myserver.mydomain.com/_cat/health
1654697845 14:17:25 docker-cluster green 1 1 2 2 0 0 0 0 - 100.0%

Even if it works properly manually, I keep on getting the below error message in the logs:

[ConnectionError]: unable to verify the first certificate

What did I miss?

I was actually simply not putting the CA certificate into the certificate file of the machine.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.