Fleet initialization behind a corporate proxy fails with "unable to get local issuer certificate", ignoring proxy settings

I am running Elasticsearch and Kibana on Linux (Ubuntu 20.04 LTS) in a corporate environment, which requires an SSL-inspection proxy to access the Internet.

Because of the SSL-inspection proxy, the private root certificates are registered with the operating system and Java (/usr/share/Elasticsearch/jdk/lib/security/cacerts).

So far, Elasticsearch and Kibana are working fine.

Now, I want to use Fleet for Elastic Agents.

The Fleet main site (http://localhost:5601/app/fleet) is loading for a while, and will fail with the following error:

Unable to initialize Fleet
[Default policy] could not be added. [system] could not be installed due to error: [RegistryConnectionError: Error connecting to package registry: request to https://epr.elastic.co/search?package=system&internal=true&experimental=true&kibana.version=7.16.1 failed, reason: unable to get local issuer certificate]

I have checked the mentioned URL using the following cURL call, and see the corporate proxy SSL certificate, and the answer from epr.elastic.co.

curl -vvI "https://epr.elastic.co/search?package=system&internal=true&experimental=true&kibana.version=7.16.1"

Since cURL returns the expected result, and accepts the private (MITM) proxy SSL certificate, the operating sytem configuration is working. Without the private CA certificates being installed, cURL refuses the connection.

Searching the Internet for the term 'kibana fleet "unable to get local issuer certificate"' does reveal some hints to workaround the issue.

The first one, I have tried, was to construct a PEM file containing all the private root public certificates, and make Kibana aware of the file by setting "Elasticsearch.ssl.certificateAuthorities" in kibana.yml.
This workaround seems to have no effect, even after a full server reboot. I have kept the configuration active.

The second one, I have tried, was to set "Elasticsearch.ssl.verificationMode" to "none" in the kibana.yml.
This workaround, together with the first one, also did not work, even after a full server reboot.

I have commented out the configuration changes made for the first and second workaround.

The third workaround, I have tried, was to set the environment variable "SSL_VERIFICATIONMODE" to "none" in the systemd override configuration for Kibana.
This workaround also did not work.

How to enable Kibana to access the Fleet elastic.co repository?

PS: The page "Management" -> "Integration" also does not work ("Kibana cannot reach the Elastic Package Registry").

PPS: The Kibana setting "xpack.fleet.registryProxyUrl" also did not work (setting the transparent proxy to a "visible" proxy).

PPPS: The configuration options starting with "Elasticsearch." are actual all lower case, this forum seems to "correct" the capitalization on that word.

I found another solution which worked.

Setting a environment variable:

NODE_EXTRA_CA_CERTS="/etc/kibana/root_ca_chain.pem"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.