Http client did not trust this server's certificate

Raj_Kumar · November 26, 2017, 5:29pm

HI aLL,

Iam using certgen for generating certificates ,am able to use it , I knw its self signed certificate so browser tells me its not secured and i added exception, is there any way to stop the elasticsearch warn logs , its increasing very fast.

I get like this

[2017-11-26T18:23:14,444][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [node-x] http client did not trust this server's certificate, closing connection [id: 0xd22e7c00, L:0.0.0.0/0.0.0.0:9200 ! R:/127.0.0.1:34184]
[2017-11-26T18:23:14,445][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [node-x] http client did not trust this server's certificate, closing connection [id: 0x8e7dc57d, L:0.0.0.0/0.0.0.0:9200 ! R:/127.0.0.1:34182]
[2017-11-26T18:23:19,461][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [node-x] http client did not trust this server's certificate, closing connection [id: 0xefdfa887, L:0.0.0.0/0.0.0.0:9200 ! R:/127.0.0.1:34196]

I could create a cron job but I want to know if there is actual procedure to fix this .

Thanks,
Raj

LeeDr · December 1, 2017, 3:36pm

Hi Raj,

Did you configure both Elasticsearch and Kibana to use SSL? Also, are any processes writing data into Elasticsearch also configured to use SSL?

I have the full stack installed with certgen self-signed certs and I'm not getting those warnings.

In my elasticsearch.yml I have;

xpack.ssl.certificate: x-pack/elasticsearch.crt
xpack.ssl.key: x-pack/elasticsearch.key
xpack.ssl.certificate_authorities: [x-pack/ca.crt]
xpack.security.http.ssl.enabled: true

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate

And in my kibana.yml I have;

server.ssl.certificate: /home/vagrant/kibana/config/kibana.crt
server.ssl.key: /home/vagrant/kibana/config/kibana.key
elasticsearch.ssl.certificateAuthorities: ["/home/vagrant/kibana/config/ca.crt"]

What version are you running and what OS are you on?

Regards,
Lee

LeeDr · December 1, 2017, 3:59pm

I just remembered (based on another user's question) that I'm adding the self-signed certs to the local machine's trust store. Here's some bash script I use in testing;

case $OS in
ubuntu)
  cp $QADIR/../certs/ca/ca.crt /usr/local/share/ca-certificates/
  cp $QADIR/../certs/elasticsearch/elasticsearch.crt /usr/local/share/ca-certificates/
  cp $QADIR/../certs/kibana/kibana.crt /usr/local/share/ca-certificates/
  update-ca-certificates

  echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
  echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
  echo "net.ipv6.conf.lo.disable_ipv6 = 1" >> /etc/sysctl.conf
  sysctl -p
  cat /proc/sys/net/ipv6/conf/all/disable_ipv6
  ;;
centos)
  sudo update-ca-trust force-enable
  cp $QADIR/../certs/ca/ca.crt /etc/pki/ca-trust/source/anchors/
  cp $QADIR/../certs/elasticsearch/elasticsearch.crt /etc/pki/ca-trust/source/anchors/
  cp $QADIR/../certs/kibana/kibana.crt /etc/pki/ca-trust/source/anchors/
  sudo update-ca-trust extract
  ;;
windows)
  certutil -addstore root $QADIR/../certs/ca/ca.crt

Regards,
Lee

Raj_Kumar · December 3, 2017, 9:33pm

Thank you Lee, I will look in to this if my yml have same settings

system · December 31, 2017, 9:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.