Error in Kibana "xpack => unable to get local issuer certificate"

Abhishek_Kumar7 · September 19, 2020, 11:11pm

I have a single node server with ES and Kibana hosted on it. I have put them behind an ELB , under a domain name .
Assume :- kibana.xyz.com and elasticsearch.xyz.com
I have enabled http ssl in elasticsearch and copy pasted the pem to kibana but it's not working.
While creating http ssl i typed both domain name to check if that is the cause , but no help leaving it blank or passing it makes not difference
PFB elasticsearch.yml

cluster.name: my-application
node.name: elk-01
network.host: x.x.x.x
discovery.seed_hosts: ["elk-01"]
cluster.initial_master_nodes: ["elk-01"]
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.authc:
  anonymous:
    roles: kibana_system
    authz_exception: false
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "/home/elasticsearch/log_services/elasticsearch-7.9.1/config/new_http.p12"

PFB kibana.yml

server.host: "0.0.0.0"
elasticsearch.hosts: ["https://test-elasticsearch.xyz.com"]
elasticsearch.username: "elastic"
elasticsearch.password: "xxxx"
xpack.security.enabled: true
xpack.reporting.encryptionKey: "5HLw1U6ot9tU490VivE1rR9ymirksJLM"
xpack.encryptedSavedObjects.encryptionKey: "5HLw1U6ot9tU490VivE1rR9ymirksJLM"
elasticsearch.ssl.certificateAuthorities: "/home/elasticsearch/log_services/kibana-7.9.1-linux-x86_64/config/elasticsearch-new-ca.pem"
logging.dest: /home/elasticsearch/log_services/kibana7/logs/kibana.log

I have followed below links completely to implement this

https://techexpert.tips/elasticsearch/elasticsearch-enable-tls-https/
https://www.elastic.co/guide/en/elasticsearch/reference/7.9/configuring-tls.html#node-certificates
https://www.elastic.co/guide/en/kibana/7.9/configuring-tls.html

I am sure that transport certificates are fine as without tls implementation it works well in this dev env and prod as well.
I am using 7.9.1 version of elastic,kibana and agent.

{"type":"log","@timestamp":"2020-09-19T22:55:00Z","tags":["warning","elasticsearch","data"],"pid":5047,"message":"Unable to revive connection: https://test-elasticsearch.xyz.com/"}
{"type":"log","@timestamp":"2020-09-19T22:55:00Z","tags":["warning","elasticsearch","data"],"pid":5047,"message":"No living connections"}

TimV · September 21, 2020, 12:24am

What sort of ELB did you use?

If it's an Application Load Balancer, then it will terminate the TLS connection and the certificate you need to configure in Kibana is the one that ELB is using, not the one that Elasticsearch is configured to use.

system · October 19, 2020, 12:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.