Filebeat ERROR x509: certificate signed by unknown authority

in my filebeat.yaml I configured output.elasticsearch: section like this

  # Array of hosts to connect to.
  hosts: [""]

  # Protocol - either `http` (default) or `https`.
  protocol: "https"   # changed by me

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "xxxxxxxxxxx"
    enabled: true
    ca_trusted_fingerprint: "E7B4EB1476CDBD2606E2EADE41373A0CE52305B3313EFE082CEF0676E2ADA4A7"

checked kibana.yaml - the same fingerprinf

checked in elasticsearch/certs with openssl x509 -fingerprint -sha256 -noout -in ./http_ca.crt | awk --field-separator="=" '{print $2}' | sed 's/://g' - got the fingerprint in filebeat.yaml

according for initial/quick filebeat configuration page it should be enough
The same configuration works on my VMware

But When I come to my real servers environment I got

filebeat test output
  parse url... OK
    parse host... OK
    dns lookup... OK
    dial up... OK
    security: server's certificate chain verification is enabled
    handshake... ERROR x509: certificate signed by unknown authority

What else should I check?

Thank you

What Version?
Show us your Kibana.yml?
Perhaps / Most likely a subject name mismatch the cert does not include as a subject name alternative.

try this from the new filebeat server with the CA from the elasticsearch server.

curl -v -u elastic --cacert ./certs/http_ca.crt


# =================== System: Kibana Server ===================
# Kibana is served by a back end server. This setting specifies the port to use.
server.port: 5601

# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address. ""

# Enables you to specify a path to mount Kibana at if you are running behind a proxy.
# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
#server.basePath: ""

# Specifies whether Kibana should rewrite requests that are prefixed with
# `server.basePath` or require that they are rewritten by your reverse proxy.
# Defaults to `false`.
#server.rewriteBasePath: false

# Specifies the public URL at which Kibana is available for end users. If
# `server.basePath` is configured this URL should end with the same basePath.
#server.publicBaseUrl: ""

# The maximum payload size in bytes for incoming server requests.
#server.maxPayload: 1048576

# The Kibana server's name. This is used for display purposes. "your-hostname"

# =================== System: Kibana Server (Optional) ===================
# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
#server.ssl.enabled: false
#server.ssl.certificate: /path/to/your/server.crt
#server.ssl.key: /path/to/your/server.key

# =================== System: Elasticsearch ===================
# The URLs of the Elasticsearch instances to use for all your queries.
#elasticsearch.hosts: ["http://localhost:9200"]

# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
#elasticsearch.username: "kibana_system"
#elasticsearch.password: "pass"

# Kibana can also authenticate to Elasticsearch via "service account tokens".
# Service account tokens are Bearer style tokens that replace the traditional username/password based configuration.
# Use this token instead of a username/password.
# elasticsearch.serviceAccountToken: "my_token"

# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500

# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
# must be a positive integer.
#elasticsearch.requestTimeout: 30000

# The maximum number of sockets that can be used for communications with elasticsearch.
# Defaults to `Infinity`.
#elasticsearch.maxSockets: 1024

# Specifies whether Kibana should use compression for communications with elasticsearch
# Defaults to `false`.
#elasticsearch.compression: false

# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
# headers, set this value to [] (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]

# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
#elasticsearch.customHeaders: {}

# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
#elasticsearch.shardTimeout: 30000

# =================== System: Elasticsearch (Optional) ===================
# These files are used to verify the identity of Kibana to Elasticsearch and are required when
# in Elasticsearch is set to required.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key

# Enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]

# To disregard the validity of SSL certificates, change this setting's value to 'none'.
#elasticsearch.ssl.verificationMode: full

# =================== System: Logging ===================
# Set the value of this setting to off to suppress all logging output, or to debug to log everything. Defaults to 'info'
#logging.root.level: debug

# Enables you to specify a file where Kibana stores log output.
      type: file
      fileName: /var/log/kibana/kibana.log
        type: json
      - default
      - file
#  layout:
#    type: json

# Logs queries sent to Elasticsearch.
#  - name: elasticsearch.query
#    level: debug

# Logs http responses.
#  - name: http.server.response
#    level: debug

# Logs system usage information.
#  - name: metrics.ops
#    level: debug

# =================== System: Other ===================
# The path where Kibana stores persistent data not saved in Elasticsearch. Defaults to data data

# Specifies the path where Kibana creates the process ID file.
pid.file: /run/kibana/

# Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 5000ms.
#ops.interval: 5000

# Specifies locale to be used for all localizable strings, dates and number formats.
# Supported languages are the following: English (default) "en", Chinese "zh-CN", Japanese "ja-JP", French "fr-FR".
#i18n.locale: "en"

# =================== Frequently used (Optional)===================

# =================== Saved Objects: Migrations ===================
# Saved object migrations run at startup. If you run into migration-related issues, you might need to adjust these settings.

# The number of documents migrated at a time.
# If Kibana can't start up or upgrade due to an Elasticsearch `circuit_breaking_exception`,
# use a smaller batchSize value to reduce the memory pressure. Defaults to 1000 objects per batch.
#migrations.batchSize: 1000

# The maximum payload size for indexing batches of upgraded saved objects.
# To avoid migrations failing due to a 413 Request Entity Too Large response from Elasticsearch.
# This value should be lower than or equal to your Elasticsearch cluster’s `http.max_content_length`
# configuration option. Default: 100mb
#migrations.maxBatchSizeBytes: 100mb

# The number of times to retry temporary migration failures. Increase the setting
# if migrations fail frequently with a message such as `Unable to complete the [...] step after
# 15 attempts, terminating`. Defaults to 15
#migrations.retryAttempts: 15

# =================== Search Autocomplete ===================
# Time in milliseconds to wait for autocomplete suggestions from Elasticsearch.
# This value must be a whole number greater than zero. Defaults to 1000ms
#unifiedSearch.autocomplete.valueSuggestions.timeout: 1000

# Maximum number of documents loaded by each shard to generate autocomplete suggestions.
# This value must be a whole number greater than zero. Defaults to 100_000
#unifiedSearch.autocomplete.valueSuggestions.terminateAfter: 100000

# This section was automatically generated during setup.
elasticsearch.hosts: ['']
elasticsearch.serviceAccountToken: AAEAAWVsYXN0aWMva2liYW5hL2Vucm9sbC1wcm9jZXNzLXRva2VuLTE2NjgwMzIzMzExMDU6ZVhiMVFPRFBUOUtBSGhtZkNhbjgyZw
elasticsearch.ssl.certificateAuthorities: [/var/lib/kibana/ca_1668032331523.crt]
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: [''], ca_trusted_fingerprint: e7b4eb1476cdbd2606e2eade41373a0ce52305b3313efe082cef0676e2ada4a7}]

sorry I didnt get the last suggestion
I have 3 files in /etc/elasticsearch/certs / http_ca.crt http.p12 transport.p12


curl -v -u elastic --cacert ./certs/http_ca.crt

I did run curl -v -u elastic --cacert ./http_ca.crt

our environment does not allow to copy files between servers or download them on home pc.. so I created http_ca.crt on filebeat, assigned 660 rights and run from local dir


curl -v -u elastic --cacert ./http_ca.crt
Enter host password for user 'elastic':
* About to connect() to port 9200 (#0)
*   Trying
* Connected to ( port 9200 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* Closing connection 0
curl: (77) Problem with the SSL CA cert (path? access rights?)

You might need to use a full path.. and make sure it is readable by the user running curl... (linux :slight_smile: ) or WAIT is this on Windows?

no Linux

full path make sure it can be accessed / read

[root@dlx-stg-dal-app-11-p ~]# curl -v -u elastic --cacert /root/http_ca.crt
Enter host password for user 'elastic':

  • About to connect() to port 9200 (#0)
  • Trying
  • Connected to ( port 9200 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • Closing connection 0
    curl: (77) Problem with the SSL CA cert (path? access rights?)

I'm running from root

I mean the error is saying the same thing...

I just ran this command on my Ubuntu 20 it ran fine.

yeap.. and perfectly works on my VMware

What does that mean... what works perfectly?

the same configuration, made with the same steps - works on my VMware.. different certificates of course

can we avoid ssl check? I've seen some configuration somewhere

ssl.verification_mode: "none"

There is a simple mistake somewhere... sometimes those are the hardest to find :wink:

in filebeat configuration?

instead of this... I linked the docs :slight_smile: Above

There is a simple mistake somewhere... sometimes those are the hardest to find :wink:

that's very true

OK, let's stop for today.. I will come tomorrow.. may be reinstall ELK from scratch