Failed to determine the health of the cluster

goodeejay · February 10, 2023, 7:00pm

Hello, I've been trying to generate enrollment token for kibana with:
sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s "kibana"

But I'm getting an error, the last line says:

ERROR: Failed to determine the health of the cluster.

The elasticsearch status is green and working:
sudo curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200/_cluster/health?pretty=true
Outputs:

{
  "cluster_name" : "elasticsearch",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 2,
  "active_shards" : 2,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

goodeejay · February 10, 2023, 8:56pm

Ok, looks like you need to specify url when creating enrollment token when
xpack.security.http.ssl.enabled is set to true in your elasticsearch.yml config file (which is automatically set when you install it).

(I wonder why this is not straight away indicated in kibana installation page, you should visit the documentation of elasticsearch-create-enrollment-token in order to read about it)

So, now I'm able to generate an enrollment token for kibana:

sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana --url https://localhost:9200

Then, I'm passing it to kibana-setup:

sudo /usr/share/kibana/bin/kibana-setup
? Enter enrollment token: <token_here>

Getting an error:

✖ Unable to connect to Elasticsearch with the provided enrollment token: Hostname/IP does not match certificate's altnames: IP: 172.18.0.1 is not in the cert's list: fe80::215:5dff:fe06:905c, 172.19.205.202, ::1, 127.0.0.1

To generate a new enrollment token run:
  bin/elasticsearch-create-enrollment-token -s kibana

Also, I've tried entering enrollment token through web-browser gui https://localhost:5601, but with no success.

Then, after hours of searching reading through some community posts, I've found that we can turn off host validation in certificates by changing 'full' to 'certificate' in kibana.yml file:

elasticsearch.ssl.verificationMode: 'certificate'

Then, after restarting the service and trying to connect from browser with enrollment token, finally worked!

I still wonder how to make it work when elasticsearch.ssl.verificationMode is set to full, do I need to recreate certs? If so, how? and why it didn't generate proper certs in the beginning when I installed the elasticsearch?

system · March 10, 2023, 8:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.