Elasticsearch unable to verify the first certificate error

Hi all,

I tried setting up X-Pack Security on a single host, single node and everything worked fine. Now I am trying to set it up using 3 different hosts (Elasticsearch, Kibana and Logstash), with 2 elasticsearch nodes (1 on Elasticsearch host and 1 on the Kibana host). Everything worked fine up to Authentication and Authorization.

I created three certificates (1 for each ES nodes and 1 for the KB node) on the elasticsearch host using the certgen tool with the below settings:

Enter instance name: localhost
Enter name for directories and files [localhost]: esnode1
Enter IP Addresses for instance (comma-separated if more than one) []: 127.0.0.1,::1
Enter DNS names for instance (comma-separated if more than one) []:
Would you like to specify another instance? Press 'y' to continue entering instance information: n

Enter instance name: localhost
Enter name for directories and files [localhost]: esnode2
Enter IP Addresses for instance (comma-separated if more than one) []: 127.0.0.1,::1
Enter DNS names for instance (comma-separated if more than one) []:
Would you like to specify another instance? Press 'y' to continue entering instance information: n

Enter instance name: localhost
Enter name for directories and files [localhost]: kibana
Enter IP Addresses for instance (comma-separated if more than one) []: 127.0.0.1,::1
Enter DNS names for instance (comma-separated if more than one) []:
Would you like to specify another instance? Press 'y' to continue entering instance information: n

I copied the certs to the respective host and directories, making use of the ca cert generated by esnode1 as the common ca cert for all nodes. Starting elasticsearch from the "elasticsearch/bin" directory seems to work fine but I get the error below when I try to start Kibana from "kibana/bin".

log   [09:20:33.715] [info][status][plugin:kibana@5.1.2] Status changed from uninitialized to green - Ready
  log   [09:20:33.751] [info][status][plugin:elasticsearch@5.1.2] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [09:20:33.769] [info][status][plugin:xpack_main@5.1.2] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [09:20:33.782] [error][elasticsearch] Request error, retrying
HEAD https://127.0.0.1:9200/ => unable to verify the first certificate
  log   [09:20:33.797] [info][status][plugin:graph@5.1.2] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [09:20:33.807] [warning][elasticsearch] Unable to revive connection: https://127.0.0.1:9200/
  log   [09:20:33.807] [warning][elasticsearch] No living connections

When I also try to access kibana from my browser, it returns 'ERR_TOO_MANY_REDIRECTS'. I tried debugging these errors, using the curl command; on the elasticsearch host, i get the right response but on the kibana host, I get this error:

[user@compute-kbn-b1c0c ~]$ sudo curl --cacert elasticsearch-5.1.2/config/x-pack/ca.crt -XGET -u elastic:changeme 'https://127.0.0.1:9200'
curl: (60) Peer's Certificate issuer is not recognized.

I further added the ca.crt to my kibana host trust store but it is still not working, Please How can I go about solving this problem, I realised a similar issue has been raised previously but on going through the post I realised it wasn't exactly thesame problem as mine. Thank you.

If this is exactly what you entered into certgen, then you have made a mistake here.

You said at the beginning that you had 3 different hosts. But yet you've all each instance localhost and said that it has an IP address of 127.0.0.1.

When one node communicates with another node, it won't be connecting via 127.0.0.1, it will be connecting via some other IP address and/or DNS name.

When you run certgen, you need to use the public IP of the servers, and put in real DNS names.

Thanks for your response; I am able to get it working now but I have one more question pls: Am I required to create certificates for each hosts or for each nodes?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.