Hi all,
I tried setting up X-Pack Security on a single host, single node and everything worked fine. Now I am trying to set it up using 3 different hosts (Elasticsearch, Kibana and Logstash), with 2 elasticsearch nodes (1 on Elasticsearch host and 1 on the Kibana host). Everything worked fine up to Authentication and Authorization.
I created three certificates (1 for each ES nodes and 1 for the KB node) on the elasticsearch host using the certgen tool with the below settings:
Enter instance name: localhost
Enter name for directories and files [localhost]: esnode1
Enter IP Addresses for instance (comma-separated if more than one) []: 127.0.0.1,::1
Enter DNS names for instance (comma-separated if more than one) []:
Would you like to specify another instance? Press 'y' to continue entering instance information: n
Enter instance name: localhost
Enter name for directories and files [localhost]: esnode2
Enter IP Addresses for instance (comma-separated if more than one) []: 127.0.0.1,::1
Enter DNS names for instance (comma-separated if more than one) []:
Would you like to specify another instance? Press 'y' to continue entering instance information: n
Enter instance name: localhost
Enter name for directories and files [localhost]: kibana
Enter IP Addresses for instance (comma-separated if more than one) []: 127.0.0.1,::1
Enter DNS names for instance (comma-separated if more than one) []:
Would you like to specify another instance? Press 'y' to continue entering instance information: n
I copied the certs to the respective host and directories, making use of the ca cert generated by esnode1 as the common ca cert for all nodes. Starting elasticsearch from the "elasticsearch/bin" directory seems to work fine but I get the error below when I try to start Kibana from "kibana/bin".
log [09:20:33.715] [info][status][plugin:kibana@5.1.2] Status changed from uninitialized to green - Ready
log [09:20:33.751] [info][status][plugin:elasticsearch@5.1.2] Status changed from uninitialized to yellow - Waiting for Elasticsearch
log [09:20:33.769] [info][status][plugin:xpack_main@5.1.2] Status changed from uninitialized to yellow - Waiting for Elasticsearch
log [09:20:33.782] [error][elasticsearch] Request error, retrying
HEAD https://127.0.0.1:9200/ => unable to verify the first certificate
log [09:20:33.797] [info][status][plugin:graph@5.1.2] Status changed from uninitialized to yellow - Waiting for Elasticsearch
log [09:20:33.807] [warning][elasticsearch] Unable to revive connection: https://127.0.0.1:9200/
log [09:20:33.807] [warning][elasticsearch] No living connections
When I also try to access kibana from my browser, it returns 'ERR_TOO_MANY_REDIRECTS'. I tried debugging these errors, using the curl command; on the elasticsearch host, i get the right response but on the kibana host, I get this error:
[user@compute-kbn-b1c0c ~]$ sudo curl --cacert elasticsearch-5.1.2/config/x-pack/ca.crt -XGET -u elastic:changeme 'https://127.0.0.1:9200'
curl: (60) Peer's Certificate issuer is not recognized.
I further added the ca.crt to my kibana host trust store but it is still not working, Please How can I go about solving this problem, I realised a similar issue has been raised previously but on going through the post I realised it wasn't exactly thesame problem as mine. Thank you.