Handshake error attaching report

uxssmango · July 24, 2020, 10:44am

Hello,
We have a problem trying to attach a report file generated from Kibana.
Our Kibana web is published through SSL with a wildcard certificate with a valid CA and the error reports:

      "actions" : [
        {
          "id" : "send_email",
          "type" : "email",
          "status" : "failure",
          "error" : {
            "root_cause" : [
              {
                "type" : "s_s_l_handshake_exception",
                "reason" : "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
              }
            ],
            "type" : "s_s_l_handshake_exception",
            "reason" : "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
            "caused_by" : {
              "type" : "validator_exception",
              "reason" : "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
              "caused_by" : {
                "type" : "sun_cert_path_builder_exception",
                "reason" : "unable to find valid certification path to requested target"
              }
            }
          }

We have activated in elasticsearch.yml file:
xpack.security.transport.ssl.verification_mode: certificate
xpack.http.ssl.verification_mode: certificate

Is there any way to avoid validation of the hostname when trying to validate the certificate?

thanks!

jportner · July 27, 2020, 4:46pm

Hi @uxssmango,

It appears that the error you're seeing is not because of the SSL connection to Kibana, rather it's because of the SSL connection to the mail server.

See Watcher Email TLS/SSL settings, if you want to disable hostname verification (not recommended) the correct setting would be:

xpack.notification.email.ssl.verification_mode: certificate

However, I believe what you should do is obtain the CA certificate that was used to sign the mail server's SSL certificate, and configure Elasticsearch to trust that CA:

xpack.notification.email.ssl.certificate_authorities: ['/path/to/your/ca-cert.pem']

system · August 24, 2020, 4:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana watcher error throwing SSL handshake even though CA is same for both Kibana & Elasticsearch Kibana elastic-stack-alerting	2	504	July 17, 2023
[KIBANA] Xpack notification Kibana elastic-stack-alerting	4	437	May 22, 2019
Watcher for report with attachment failed due to ssl handshake exception Kibana elastic-stack-security , elastic-stack-alerting	4	3285	July 27, 2020
S_s_l_handshake_exception in watcher Elasticsearch elastic-stack-reporting , elastic-stack-alerting	1	602	November 21, 2022
Unable to find valid certification path to requested target Kibana elastic-stack-alerting	2	4861	July 6, 2021

Handshake error attaching report

Related topics