Kibana can't connect to elasticsearch using self signed certificates

Hi, I have enabled TLS certificates for connection between Kibana and Elasticsearch as described here: Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [7.16] | Elastic

I use rsyslog to send data straight to Elasticsearch and that works fine, I can also use curl to talk to Elasticsearch so certificates are working fine for the https://localhost:9200 URL.

But when I try to do the same with Kibana then all I get is the dreaded "Unable to retrieve version information from Elasticsearch nodes. self signed certificate in certificate chain" log in /var/log/kibana/kibana.log

I used the Elasticsearch-certutil to create a CA, and a certificate/key pair for https using that CA, that also created a kibana directory in the zip file that included a .pem file that I use for telling kibana to trust the Elasticsearch certificate.

Here is the kibana.yml file:

server.publicBaseUrl: "my-dns-server-name"
elasticsearch.hosts: ["https://localhost:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.ssl.certificate: "/etc/kibana/elasticsearch-ssl/elasticsearch-ca.pem"
xpack.encryptedSavedObjects.encryptionKey: "xxxxxxx"
xpack.security.encryptionKey: "xxxxxxx"

And here is the Elasticsearch.yml file:

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: localhost
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.key: elasticsearch-ssl/elasticsearch.key.pem
xpack.security.transport.ssl.certificate: elasticsearch-ssl/elasticsearch.cert.pem
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elasticsearch-ssl/http.p12
discovery.type: single-node

All the referenced certificates are from the Elasticsearch-certutil program.

Anyone have ideas on why kibana does not trust the certificate?

Yeah looks like you are missing to specify the CA in the Kibana config and the key as well? see my kibana.yml:

server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/Elasticsearch-ca.pem
server.ssl.key: /etc/ssl/kibana/kibana-key.key
Elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/Elasticsearch-ca.pem" ]
Elasticsearch.ssl.verificationMode: none

Elasticsearch.yml:

cluster.initial_master_nodes: ["node-1"]
xpack.security.transport.ssl.enabled: true
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: none
xpack.security.http.ssl.keystore.path: http.p12
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

They do not have to have the same certs, I created a different cert for Kibana and a different one for Elasticsearch but used the same key and CA and used openssl i believe to generate the p12 format certs which include the ca into it, so i could actually technically be able to point kibana to those .p12 and it should work just fine as well.

To generate new cert w/openssl:

cd /etc/Elasticsearch/
openssl pkcs12 -in elastic-certificates.p12 -out newfile.crt.pem -clcerts -nokeys
openssl pkcs12 -in elastic-certificates.p12 -out newfile.key.pem -nocerts -nodes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.