[ConnectionError]: unable to verify the first certificate

Jaep · June 8, 2022, 2:23pm

I'm currently trying to setup kibana together with elasticSearch within the same docker-compose.

In order to avoid any issue with the SSL certificates, I generated a "real" (not self signed) certificate that I'm using on both services.

docker-compose.yml

The services are defined as follow:

services:
  es:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.2.2
    environment:
      - "discovery.type=single-node"
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - "xpack.security.enabled=true"
      - "xpack.security.http.ssl.certificate_authorities=[\"/usr/share/elasticsearch/config/certificates/ca.pem\"]"
      - "xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certificates/elasticsearch.pem"
      - "xpack.security.http.ssl.enabled=true"
      - "xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certificates/elasticsearch.key"
      - "xpack.security.transport.ssl.certificate_authorities=[\"/usr/share/elasticsearch/config/certificates/ca.pem\"]"
      - "xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certificates/elasticsearch.pem"
      - "xpack.security.transport.ssl.enabled=true"
      - "xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certificates/elasticsearch.key"
      - ELASTIC_PASSWORD={{ ELASTIC_PASSWORD }}
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - {{ es_path }}/data:/usr/share/elasticsearch/data:z
      - {{ es_path}}/certs:/usr/share/elasticsearch/config/certificates
    ports:
      - "9200:9200"

  kibana:
    build:
      context: {{ es_path }}/kibana
      dockerfile: kibana-dockerfile
    volumes:
      - {{ es_path }}/kibana/:/usr/share/kibana/config/
      - {{ es_path }}/certs/:/etc/kibana/certs:ro
    ports:
      - "5601:5601"

kibana dockerfile
As you can see, the kibana container is built through a dockerfile. The only thing the dockerfile does is generate a service account token and push it to the kibana.yml file before launching the entrypoint from elastic's entrypoint.

kibana.yml

# Managed by Ansible
---
elasticsearch.hosts: ["https://myserver.mydomain.com:9200"]
elasticsearch.serviceAccountToken: "*****"
logging.root.level: "debug"
server.name: "my-kibana"
server.port: 5601
server.publicBaseUrl: http://http://myserver.mydomain.com:5601
server.ssl.certificate: /etc/kibana/certs/elasticsearch.pem
server.ssl.certificateAuthorities: ["/etc/kibana/certs/ca.pem"]
server.ssl.enabled: true
server.ssl.key: /etc/kibana/certs/elasticsearch.key
xpack.encryptedSavedObjects.encryptionKey: "*****"
xpack.reporting.encryptionKey: "*****"
xpack.security.encryptionKey: "*****"

Manually testing the connection

When I try to connect manually from the kibana to elasticSearch, I get no error:

kibana@73f42c7a2fb5:~$ curl --cacert /etc/kibana/certs/ca.pem -H "Authorization: Bearer *****" https://myserver.mydomain.com/_cat/health
1654697845 14:17:25 docker-cluster green 1 1 2 2 0 0 0 0 - 100.0%

Even if it works properly manually, I keep on getting the below error message in the logs:

[ConnectionError]: unable to verify the first certificate

What did I miss?

Jaep · June 17, 2022, 7:19am

I was actually simply not putting the CA certificate into the certificate file of the machine.

system · July 15, 2022, 7:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.