Kibana certificate issues in ES 7.7 - unable to verify the first certificate

morariu · June 2, 2022, 7:49pm

Hi all. I know this has been discussed but I still can't figure it out. Getting the "unable to verify the first certificate" in the logs when starting Kibana.

Here are the logs, the part where the errors start showing, later it keeps looping with "Unable to revive connection".

{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["info","savedobjects-service"],"pid":12207,"message":"Waiting until all Elasticsearch nodes are compatible with Kibana before starting saved objects migrations..."}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["error","elasticsearch","data"],"pid":12207,"message":"Request error, retrying\nHEAD https://es6.myhost.internal:9200/.apm-custom-link => unable to verify the first certificate"}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["error","elasticsearch","data"],"pid":12207,"message":"Request complete with error\nGET https://es6.myhost.internal:9200/_xpack => unable to verify the first certificate"}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["warning","plugins","licensing"],"pid":12207,"message":"License information could not be obtained from Elasticsearch due to Error: Error: unable to verify the first certificate error"}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["debug","plugins","licensing"],"pid":12207,"message":"Imported license information from Elasticsearch:type: undefined | status: undefined | expiry date: Invalid date"}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["info","plugins","searchprofiler"],"pid":12207,"message":"You cannot use searchprofiler because license information is not available at this time."}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["info","plugins","painlessLab"],"pid":12207,"message":"You cannot use painlessLab because license information is not available at this time."}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["info","plugins","snapshotRestore"],"pid":12207,"message":"You cannot use snapshot_restore because license information is not available at this time."}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["info","plugins","transform"],"pid":12207,"message":"You cannot use transform because license information is not available at this time."}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["info","plugins","indexManagement"],"pid":12207,"message":"You cannot use index_management because license information is not available at this time."}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["info","plugins","remoteClusters"],"pid":12207,"message":"You cannot use Remote Clusters because license information is not available at this time."}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["info","plugins","watcher"],"pid":12207,"message":"You cannot use watcher because license information is not available at this time."}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["info","plugins","monitoring","monitoring","kibana-monitoring"],"pid":12207,"message":"Monitoring status upload endpoint is not enabled in Elasticsearch:Monitoring stats collection is stopped"}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["error","elasticsearch","data"],"pid":12207,"message":"Request complete with error\nHEAD https://es6.myhost.internal:9200/.apm-agent-configuration => unable to verify the first certificate"}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["warning","elasticsearch","data"],"pid":12207,"message":"Unable to revive connection: https://es2.myhost.internal:9200/"}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["error","elasticsearch","admin"],"pid":12207,"message":"Request error, retrying\nGET https://es3.myhost.internal:9200/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip => unable toverify the first certificate"}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["warning","elasticsearch","data"],"pid":12207,"message":"Unable to revive connection: https://es8.myhost.internal:9200/"}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["error","elasticsearch","admin"],"pid":12207,"message":"Request error, retrying\nGET https://es7.myhost.internal:9200/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip => unable toverify the first certificate"}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["warning","elasticsearch","data"],"pid":12207,"message":"Unable to revive connection: https://es7.myhost.internal:9200/"}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["error","elasticsearch","admin"],"pid":12207,"message":"Request error, retrying\nGET https://es5.myhost.internal:9200/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip => unable toverify the first certificate"}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["warning","elasticsearch","data"],"pid":12207,"message":"Unable to revive connection: https://es4.myhost.internal:9200/"}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["error","elasticsearch","admin"],"pid":12207,"message":"Request complete with error\nGET https://es8.myhost.internal:9200/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip => unable to verify the first certificate"}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["error","savedobjects-service"],"pid":12207,"message":"Unable to retrieve version information from Elasticsearch nodes."}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["warning","elasticsearch","data"],"pid":12207,"message":"Unable to revive connection: https://es1.myhost.internal:9200/"}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["warning","elasticsearch","data"],"pid":12207,"message":"Unable to revive connection: https://es5.myhost.internal:9200/"}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["warning","elasticsearch","data"],"pid":12207,"message":"Unable to revive connection: https://es3.myhost.internal:9200/"}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["warning","elasticsearch","data"],"pid":12207,"message":"Unable to revive connection: https://es6.myhost.internal:9200/"}
{"type":"log","@timestamp":"2022-06-02T19:16:16Z","tags":["warning","elasticsearch","data"],"pid":12207,"message":"No living connections"}

Here is the Elasticsearch.yml

cluster.name: mycluster
node.name: es1
path.data: /opt/elastic/data
path.logs: /opt/elastic/logs
network.host: es1.myhost.internal
http.port: 9200
discovery.seed_hosts: ["es1.myhost.internal", "es2.myhost.internal", "es3.myhost.internal", "es4.myhost.internal", "es5.myhost.internal", "es6.myhost.internal", "es7.myhost.internal", "es8.myhost.internal"]
cluster.initial_master_nodes: ["es1", "es2", "es3"]
node.master: true
node.ingest: true
node.data: false
node.ml: false
node.transform: false
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: full
xpack.security.transport.ssl.keystore.path: /opt/elastic/elasticsearch/config/certs/xeno-keystore-dev1.jks
xpack.security.transport.ssl.truststore.path: /opt/elastic/elasticsearch/config/certs/xeno-trust-dev1.jks
xpack.security.http.ssl.keystore.path: /opt/elastic/elasticsearch/config/certs/xeno-keystore-dev1.jks
xpack.security.http.ssl.truststore.path: /opt/elastic/elasticsearch/config/certs/xeno-trust-dev1.jks

And kibana.yml

server.port: 5601
server.host: es1.myhost.internal
elasticsearch.hosts: ["https://es1.myhost.internal:9200", "https://es2.myhost.internal:9200", "https://es3.myhost.internal:9200", "https://es4.myhost.internal:9200", "https://es5.myhost.internal:9200", "https://es6.myhost.internal:9200", "https://es7.myhost.internal:9200", "https://es8.myhost.internal:9200"]
server.ssl.enabled: true
elasticsearch.ssl.verificationMode: full
server.ssl.keystore.path: /opt/elastic/kibana/config/xeno-keystore-dev1.p12
elasticsearch.ssl.keystore.path: /opt/elastic/kibana/config/xeno-keystore-dev1.p12
elasticsearch.ssl.truststore.path: /opt/elastic/kibana/config/xeno-truststore-dev1.p12
elasticsearch.ssl.certificateAuthorities: ["/opt/elastic/kibana/config/elasticsearch-ca.pem"]
elasticsearch.username: "kibana"
elasticsearch.password: "mypassword"
logging.verbose: true
logging.dest: /opt/elastic/logs/kibana.log
xpack.security.encryptionKey: "mystringsof32chars"

No issues with certificates on Elasticsearch, I can curl with "elastic" user and password:

curl -ik -u elastic https://es1.myhost.internal:9200/_cat/health?v

Any suggestions? Thanks

Yang_Wang · June 6, 2022, 1:16am

You should not specify both truststore and certificateAuthorities. Based on the file names, you might want to remove the certificateAuthorities setting.

warkolm · June 6, 2022, 9:39am

FWIW 7.7 is EOL and you should upgrade ASAP.

system · July 4, 2022, 9:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Upgrade 7.6->7.7 unable to verify the first certificate" Kibana	21	4019	July 8, 2020
Unable to verify the first certificate - kibana/elasticsearch Elasticsearch elastic-stack-security	3	10920	December 14, 2021
Unable to verify the first certificate Elasticsearch elastic-stack-security	1	856	August 26, 2022
X-pack and kibana: Client request error: unable to verify the first certificate Kibana	6	14639	July 6, 2017
Unable to retrieve version information from elasticsearch nodes Kibana elastic-stack-security	2	704	January 10, 2023

Kibana certificate issues in ES 7.7 - unable to verify the first certificate

Related topics