I'm currently trying to setup kibana together with elasticSearch within the same docker-compose.
In order to avoid any issue with the SSL certificates, I generated a "real" (not self signed) certificate that I'm using on both services.
docker-compose.yml
The services are defined as follow:
services:
es:
image: docker.elastic.co/elasticsearch/elasticsearch:8.2.2
environment:
- "discovery.type=single-node"
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- "xpack.security.enabled=true"
- "xpack.security.http.ssl.certificate_authorities=[\"/usr/share/elasticsearch/config/certificates/ca.pem\"]"
- "xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certificates/elasticsearch.pem"
- "xpack.security.http.ssl.enabled=true"
- "xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certificates/elasticsearch.key"
- "xpack.security.transport.ssl.certificate_authorities=[\"/usr/share/elasticsearch/config/certificates/ca.pem\"]"
- "xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certificates/elasticsearch.pem"
- "xpack.security.transport.ssl.enabled=true"
- "xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certificates/elasticsearch.key"
- ELASTIC_PASSWORD={{ ELASTIC_PASSWORD }}
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- {{ es_path }}/data:/usr/share/elasticsearch/data:z
- {{ es_path}}/certs:/usr/share/elasticsearch/config/certificates
ports:
- "9200:9200"
kibana:
build:
context: {{ es_path }}/kibana
dockerfile: kibana-dockerfile
volumes:
- {{ es_path }}/kibana/:/usr/share/kibana/config/
- {{ es_path }}/certs/:/etc/kibana/certs:ro
ports:
- "5601:5601"
kibana dockerfile
As you can see, the kibana container is built through a dockerfile. The only thing the dockerfile does is generate a service account token and push it to the kibana.yml file before launching the entrypoint from elastic's entrypoint.
kibana.yml
# Managed by Ansible
---
elasticsearch.hosts: ["https://myserver.mydomain.com:9200"]
elasticsearch.serviceAccountToken: "*****"
logging.root.level: "debug"
server.name: "my-kibana"
server.port: 5601
server.publicBaseUrl: http://http://myserver.mydomain.com:5601
server.ssl.certificate: /etc/kibana/certs/elasticsearch.pem
server.ssl.certificateAuthorities: ["/etc/kibana/certs/ca.pem"]
server.ssl.enabled: true
server.ssl.key: /etc/kibana/certs/elasticsearch.key
xpack.encryptedSavedObjects.encryptionKey: "*****"
xpack.reporting.encryptionKey: "*****"
xpack.security.encryptionKey: "*****"
Manually testing the connection
When I try to connect manually from the kibana to elasticSearch, I get no error:
kibana@73f42c7a2fb5:~$ curl --cacert /etc/kibana/certs/ca.pem -H "Authorization: Bearer *****" https://myserver.mydomain.com/_cat/health
1654697845 14:17:25 docker-cluster green 1 1 2 2 0 0 0 0 - 100.0%
Even if it works properly manually, I keep on getting the below error message in the logs:
[ConnectionError]: unable to verify the first certificate
What did I miss?