Error in Kibana "xpack => unable to get local issuer certificate"

Abhishek_Kumar7 · September 19, 2020, 11:11pm

I have a single node server with ES and Kibana hosted on it. I have put them behind an ELB , under a domain name .
Assume :- kibana.xyz.com and elasticsearch.xyz.com
I have enabled http ssl in elasticsearch and copy pasted the pem to kibana but it's not working.
While creating http ssl i typed both domain name to check if that is the cause , but no help leaving it blank or passing it makes not difference
PFB elasticsearch.yml

cluster.name: my-application
node.name: elk-01
network.host: x.x.x.x
discovery.seed_hosts: ["elk-01"]
cluster.initial_master_nodes: ["elk-01"]
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.authc:
  anonymous:
    roles: kibana_system
    authz_exception: false
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "/home/elasticsearch/log_services/elasticsearch-7.9.1/config/new_http.p12"

PFB kibana.yml

server.host: "0.0.0.0"
elasticsearch.hosts: ["https://test-elasticsearch.xyz.com"]
elasticsearch.username: "elastic"
elasticsearch.password: "xxxx"
xpack.security.enabled: true
xpack.reporting.encryptionKey: "5HLw1U6ot9tU490VivE1rR9ymirksJLM"
xpack.encryptedSavedObjects.encryptionKey: "5HLw1U6ot9tU490VivE1rR9ymirksJLM"
elasticsearch.ssl.certificateAuthorities: "/home/elasticsearch/log_services/kibana-7.9.1-linux-x86_64/config/elasticsearch-new-ca.pem"
logging.dest: /home/elasticsearch/log_services/kibana7/logs/kibana.log

I have followed below links completely to implement this

https://techexpert.tips/elasticsearch/elasticsearch-enable-tls-https/
https://www.elastic.co/guide/en/elasticsearch/reference/7.9/configuring-tls.html#node-certificates
https://www.elastic.co/guide/en/kibana/7.9/configuring-tls.html

I am sure that transport certificates are fine as without tls implementation it works well in this dev env and prod as well.
I am using 7.9.1 version of elastic,kibana and agent.

{"type":"log","@timestamp":"2020-09-19T22:55:00Z","tags":["warning","elasticsearch","data"],"pid":5047,"message":"Unable to revive connection: https://test-elasticsearch.xyz.com/"}
{"type":"log","@timestamp":"2020-09-19T22:55:00Z","tags":["warning","elasticsearch","data"],"pid":5047,"message":"No living connections"}

TimV · September 21, 2020, 12:24am

What sort of ELB did you use?

If it's an Application Load Balancer, then it will terminate the TLS connection and the certificate you need to configure in Kibana is the one that ELB is using, not the one that Elasticsearch is configured to use.

system · October 19, 2020, 12:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to get issuer certificate Kibana	5	3654	March 14, 2018
SSL Error in Kibana logs Kibana	15	1804	October 14, 2020
Kibana can't startup successfully after enable ssl and xpack in elasticsearch6.7.1 Kibana elastic-stack-security	6	1061	May 20, 2019
Kibana server is not ready yet, error : Unable to get issuer certificate Kibana elastic-stack-security	3	840	September 29, 2022
Xpack.security.transport.ssl setup issue Elasticsearch elastic-stack-security	4	366	October 5, 2022

Error in Kibana "xpack => unable to get local issuer certificate"

Related topics