Handshake error attaching report

Hello,
We have a problem trying to attach a report file generated from Kibana.
Our Kibana web is published through SSL with a wildcard certificate with a valid CA and the error reports:

      "actions" : [
        {
          "id" : "send_email",
          "type" : "email",
          "status" : "failure",
          "error" : {
            "root_cause" : [
              {
                "type" : "s_s_l_handshake_exception",
                "reason" : "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
              }
            ],
            "type" : "s_s_l_handshake_exception",
            "reason" : "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
            "caused_by" : {
              "type" : "validator_exception",
              "reason" : "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
              "caused_by" : {
                "type" : "sun_cert_path_builder_exception",
                "reason" : "unable to find valid certification path to requested target"
              }
            }
          }

We have activated in elasticsearch.yml file:
xpack.security.transport.ssl.verification_mode: certificate
xpack.http.ssl.verification_mode: certificate

Is there any way to avoid validation of the hostname when trying to validate the certificate?

thanks!

Hi @uxssmango,

It appears that the error you're seeing is not because of the SSL connection to Kibana, rather it's because of the SSL connection to the mail server.

See Watcher Email TLS/SSL settings, if you want to disable hostname verification (not recommended) the correct setting would be:

xpack.notification.email.ssl.verification_mode: certificate

However, I believe what you should do is obtain the CA certificate that was used to sign the mail server's SSL certificate, and configure Elasticsearch to trust that CA:

xpack.notification.email.ssl.certificate_authorities: ['/path/to/your/ca-cert.pem']

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.