Kibana can't connect to elasticsearch using self signed certificates

Hi, I have enabled TLS certificates for connection between Kibana and Elasticsearch as described here: Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [7.16] | Elastic

I use rsyslog to send data straight to Elasticsearch and that works fine, I can also use curl to talk to Elasticsearch so certificates are working fine for the https://localhost:9200 URL.

But when I try to do the same with Kibana then all I get is the dreaded "Unable to retrieve version information from Elasticsearch nodes. self signed certificate in certificate chain" log in /var/log/kibana/kibana.log

I used the Elasticsearch-certutil to create a CA, and a certificate/key pair for https using that CA, that also created a kibana directory in the zip file that included a .pem file that I use for telling kibana to trust the Elasticsearch certificate.

Here is the kibana.yml file:

server.publicBaseUrl: "my-dns-server-name"
elasticsearch.hosts: ["https://localhost:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.ssl.certificate: "/etc/kibana/elasticsearch-ssl/elasticsearch-ca.pem"
xpack.encryptedSavedObjects.encryptionKey: "xxxxxxx" "xxxxxxx"

And here is the Elasticsearch.yml file: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch localhost true true certificate required elasticsearch-ssl/elasticsearch.key.pem elasticsearch-ssl/elasticsearch.cert.pem true elasticsearch-ssl/http.p12
discovery.type: single-node

All the referenced certificates are from the Elasticsearch-certutil program.

Anyone have ideas on why kibana does not trust the certificate?

Yeah looks like you are missing to specify the CA in the Kibana config and the key as well? see my kibana.yml:

server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/Elasticsearch-ca.pem
server.ssl.key: /etc/ssl/kibana/kibana-key.key
Elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/Elasticsearch-ca.pem" ]
Elasticsearch.ssl.verificationMode: none


cluster.initial_master_nodes: ["node-1"] true true true none http.p12 elastic-certificates.p12 elastic-certificates.p12

They do not have to have the same certs, I created a different cert for Kibana and a different one for Elasticsearch but used the same key and CA and used openssl i believe to generate the p12 format certs which include the ca into it, so i could actually technically be able to point kibana to those .p12 and it should work just fine as well.

To generate new cert w/openssl:

cd /etc/Elasticsearch/
openssl pkcs12 -in elastic-certificates.p12 -out newfile.crt.pem -clcerts -nokeys
openssl pkcs12 -in elastic-certificates.p12 -out newfile.key.pem -nocerts -nodes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.