EnterpriseSearch : "Could not perform access check to Enterprise Search"

flavienbwk · November 16, 2020, 1:51pm

Hi,

I am trying to bind my Enterprise Search instance to my Kibana with SSL.

My Enterprise Search instance works well alone, but Kibana refuses to connect to it :

 {"type":"log","@timestamp":"2020-11-16T13:44:55Z","tags":["error","plugins","enterpriseSearch"],"pid":7,"message":"Could not perform access check to Enterprise Search: FetchError: request to https://enterprise_search:3002/api/ent/v2/internal/client_config failed, reason: self signed certificate in certificate chain"}

I generate my certificates with elasticsearch-certutil and docker-compose :

version: '3.2'

services:

    create_certs:
        container_name: create_certs
        image: docker.elastic.co/elasticsearch/elasticsearch:7.10.0
        command: >
            bash -c '
            if [[ ! -f /certs/ca.zip ]]; then
                # Generating CA certificate
                bin/elasticsearch-certutil ca --silent --pem -out /certs/ca.zip;
                unzip /certs/ca.zip -d /certs;
            fi;
            if [[ ! -f /certs/pem.zip ]]; then
                # Generating PEM certificates (ElasticSearch nodes and Kibana)
                bin/elasticsearch-certutil cert --silent --pem --ca-cert "/certs/ca/ca.crt" --ca-key "/certs/ca/ca.key" --in config/certificates/pem.yml -out /certs/pem.zip;
                unzip /certs/pem.zip -d /certs;
            fi;
            if [[ ! -f /certs/pkcs_12.zip ]]; then
                # Generating PKCS#12 certificates (Enterprise Search)
                bin/elasticsearch-certutil cert --silent --pass "changeme" --ca-cert "/certs/ca/ca.crt" --ca-key "/certs/ca/ca.key" --in config/certificates/pkcs_12.yml -out /certs/pkcs_12.zip;
                unzip /certs/pkcs_12.zip -d /certs;
            fi;
            '
        working_dir: /usr/share/elasticsearch
        volumes: ['./certs:/certs', './instances:/usr/share/elasticsearch/config/certificates']

which leads to this directory structure and files (mounted in /usr/share/elasticsearch/config/certificates) :

And here is my Enterprise Search configuration (env variables) :

JAVA_OPTS: "-Xms2048m -Xmx2048m"
ENT_SEARCH_DEFAULT_PASSWORD: changeme
ent_search.external_url: "https://localhost:3002"
ent_search.auth.source: elasticsearch-native # elasticsearch-based users
ent_search.ssl.enabled: "true"
ent_search.ssl.keystore.path: "/usr/share/elasticsearch/config/certificates/enterprise_search/enterprise_search.p12"
ent_search.ssl.keystore.password: "changeme"
elasticsearch.username: elastic
elasticsearch.password: changeme
elasticsearch.host: "https://es01:9200"
elasticsearch.ssl.enabled: "true"
elasticsearch.ssl.certificate_authority: "/usr/share/elasticsearch/config/certificates/ca/ca.crt"
allow_es_settings_modification: "true"
secret_management.encryption_keys: "[changeme]"

Would you know where the problem comes from ?
Or would there be a way to disable certificate verification from Kibana to EnterpriseSearch ?

Thank you !

ross.bell · November 17, 2020, 5:45pm

Hello!

It looks like you already found the relevant issue: https://github.com/elastic/kibana/issues/76669. It's a known issue that we're tracking.

flavienbwk · November 17, 2020, 6:46pm

Thanks, hoping you can fix this soon !