Kibana <---> Elasticsearch integration with SSL enable

Diego_Lopes_Penna · August 17, 2022, 2:33pm

Hello,

I've tried to find a solution for this on this forum but I was not able to find a solution that solves the problem.
I'm trying to configure a Kibana/Elasticsearch integration. Each one of them is running on its own server on DigitalOcean. For the certificates, I'm using let'sencript. (https://certbot.eff.org/)

Everything is running inside docker containers.

My Elasticsearch is working and I'm able to communicate with it. The problem occurs when I try to connect Kibana to it. I'm getting the message:

[elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. unable to get issuer certificate

My kibana.yml is:
</
server.name: kibana

server.host: "0.0.0.0"

# Elasticsearch Connection

elasticsearch.hosts: [ "${ELASTICSEARCH_HOST_PORT}" ]

# SSL settings

server.ssl.enabled: true

server.ssl.certificate: /certs/kibana.crt

server.ssl.key: /certs/kibana.key

#server.ssl.certificateAuthorities: [ "/certs/ca.crt" ]

xpack.security.encryptionKey: ***********

xpack.encryptedSavedObjects.encryptionKey: ***********

xpack.reporting.encryptionKey: ***********

xpack.reporting.kibanaServer.hostname: ***********.***********.***********

## X-Pack security credentials

elasticsearch.serviceAccountToken: "${KIBANA_SERVICE_ACCOUNT_TOKEN}" # !!! Get token !!

#elasticsearch.ssl.certificateAuthorities: [ "/certs/ca.crt" ]

## Misc

elasticsearch.requestTimeout: 90000

server.publicBaseUrl: https://***********.***********.***********

Each one of my servers has its own certificates since they have separate domains.

Can someone point me in the right direction? I'm losing a lot of time trying to find the correct configuration...

Thanks in advance...

cheshirecat · August 18, 2022, 8:41am

Hello there!

Please tell me how did you set ES host in kibana.yml - I can't see this setting.

Diego_Lopes_Penna · August 18, 2022, 10:07am

Hey @cheshirecat . Yes, I've set the ES host. You can find it on this line:
elasticsearch.hosts: [ "${ELASTICSEARCH_HOST_PORT}" ]
ELASTICSEARCH_HOST_PORT is a enviroment variable ---> "https://myelasticaddress:9200"

stephenb · August 19, 2022, 12:24am

most likely you need the ca for the the elasticsearch connection... as the error says

[elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. unable to get issuer certificate

You probably need the elasticsearch CA you have it commented out...see here

#elasticsearch.ssl.certificateAuthorities: [ "/certs/ca.crt" ]

or set verificationMode : none which is not recommended.

elasticsearch.ssl.verificationMode : none

Diego_Lopes_Penna · August 19, 2022, 12:49pm

Hi @stephenb, thank you for the reply

I've tried to enable "server.ssl.certificateAuthorities" on a test but I had the same result.

I'm using let'sencrypt certificates as follows:

server.ssl.certificateAuthorities  ----> fullchain.pem
server.ssl.certificate  ----> fullchain.pem 
server.ssl.key ----> privkey.pem

stephenb · August 19, 2022, 2:07pm

It's not the server.ssl...
That's for the Kibana connection to the browser

It's the elasticsearch.ssl...
Which is Kibana connecting to Elasticsearch which is what you're having trouble with.

system · September 16, 2022, 2:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.