Kibana Elasticsearch TLS does not work (alert and actions)

I followed all steps in the guide


but unfortunately, it did not work for me .
    server.port: 5601
     # Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
        # The default is 'localhost', which usually means remote machines will not be able to connect.
        # To allow connections from remote users, set this parameter to a non-loopback address.
        server.host: "kibana-pp.com"

        # Enables you to specify a path to mount Kibana at if you are running behind a proxy.
        # Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
        # from requests it receives, and to prevent a deprecation warning at startup.
        # This setting cannot end in a slash.
        #server.basePath: ""

        # Specifies whether Kibana should rewrite requests that are prefixed with
        # `server.basePath` or require that they are rewritten by your reverse proxy.
        # This setting was effectively always `false` before Kibana 6.3 and will
        # default to `true` starting in Kibana 7.0.
        #server.rewriteBasePath: false

        # The maximum payload size in bytes for incoming server requests.
        #server.maxPayloadBytes: 1048576

        # The Kibana server's name.  This is used for display purposes.
        #server.name: "your-hostname"

        # The URLs of the Elasticsearch instances to use for all your queries.
        elasticsearch.hosts: ["https://elk-pp-01.com:9200"]

        # When this setting's value is true Kibana uses the hostname specified in the server.host
        # setting. When the value of this setting is false, Kibana uses the hostname of the host
        # that connects to this Kibana instance.
        elasticsearch.preserveHost: true

        # Kibana uses an index in Elasticsearch to store saved searches, visualizations and
        # dashboards. Kibana creates a new index if the index doesn't already exist.
        #kibana.index: ".kibana"

        # The default application to load.
        #kibana.defaultAppId: "home"

        # If your Elasticsearch is protected with basic authentication, these settings provide
        # the username and password that the Kibana server uses to perform maintenance on the Kibana
        # index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
        # is proxied through the Kibana server.
        elasticsearch.username: "elastic"
        elasticsearch.password: "password"

        # Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
        # These settings enable SSL for outgoing requests from the Kibana server to the browser.
        server.ssl.enabled: true
        server.ssl.certificate: /etc/kibana/star.crt
        server.ssl.key: /etc/kibana/star.key


        # Optional settings that provide the paths to the PEM-format SSL certificate and key files.
        # These files are used to verify the identity of Kibana to Elasticsearch and are required when
        # xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.
        elasticsearch.ssl.certificate: /etc/kibana/elastic.crt
        elasticsearch.ssl.key:  /etc/kibana/elastic.key

        # Optional setting that enables you to specify a path to the PEM file for the certificate
        # authority for your Elasticsearch instance.
        elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/elasticCA.crt" ]

        # To disregard the validity of SSL certificates, change this setting's value to 'none'.
        elasticsearch.ssl.verificationMode: none

        # Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
        # the elasticsearch.requestTimeout setting.
        #elasticsearch.pingTimeout: 1500

        # Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
        # must be a positive integer.
        #elasticsearch.requestTimeout: 30000

        # List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
        # headers, set this value to [] (an empty list).
        #elasticsearch.requestHeadersWhitelist: [ authorization ]

        # Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
        # by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
        #elasticsearch.customHeaders: {}

        # Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
        #elasticsearch.shardTimeout: 30000

        # Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.
        #elasticsearch.startupTimeout: 5000

        # Logs queries sent to Elasticsearch. Requires logging.verbose set to true.
        #elasticsearch.logQueries: false

        # Specifies the path where Kibana creates the process ID file.
        #pid.file: /var/run/kibana.pid

        # Enables you specify a file where Kibana stores log output.
        #logging.dest: stdout

        # Set the value of this setting to true to suppress all logging output.
        #logging.silent: false

        # Set the value of this setting to true to suppress all logging output other than error messages.
        #logging.quiet: false

        # Set the value of this setting to true to log all events, including system usage information
        # and all requests.
        #logging.verbose: false

        # Set the interval in milliseconds to sample system and process performance
        # metrics. Minimum is 100ms. Defaults to 5000.
        #ops.interval: 5000
        xpack.security.enabled: true
        # Specifies locale to be used for all localizable strings, dates and number formats.
        # Supported languages are the following: English - en , by default , Chinese - zh-CN .
        #i18n.loicale: "en"
xpack.security.encryptionKey: "dfghjkldcvbnmsdfghjryteuikdfvchy"
        xpack.encryptedSavedObjects.encryptionKey: "dfghjkldcvbnmsdfghjryteuikdfvchy"
`

our elasticsearch.yml is

    #
    # NOTE: Elasticsearch comes with reasonable defaults for most settings.
    #       Before you set out to tweak and tune the configuration, make sure you
    #       understand what are you trying to accomplish and the consequences.
    #
    # The primary way of configuring a node is via this file. This template lists
    # the most important settings you may want to configure for a production cluster.
    #
    # Please consult the documentation for further information on configuration options:
    # https://www.elastic.co/guide/en/elasticsearch/reference/index.html
    #
    # ---------------------------------- Cluster -----------------------------------
    #
    # Use a descriptive name for your cluster:
    #
    cluster.name: elk
    #
    # ------------------------------------ Node ------------------------------------
    #
    # Use a descriptive name for the node:
    #
    node.name: elk-pre-01
    #
    # Add custom attributes to the node:
    #
    #node.attr.rack: r1
    #
    # ----------------------------------- Paths ------------------------------------
    #
    # Path to directory where to store the data (separate multiple locations by comma):
    #
    path.data: /var/lib/elasticsearch/data
    #
    # Path to log files:
    #
    path.logs: /var/log/elasticsearch
    #
    # ----------------------------------- Memory -----------------------------------
    #
    # Lock the memory on startup:
    #
    #bootstrap.memory_lock: true
    #
    # Make sure that the heap size is set to about half the memory available
    # on the system and that the owner of the process is allowed to use this
    # limit.
    #
    # Elasticsearch performs poorly when the system is swapping the memory.
    #
    # ---------------------------------- Network -----------------------------------
    #
    # Set the bind address to a specific IP (IPv4 or IPv6):
    #
    network.host: 172.24.9.3
    #
    # Set a custom port for HTTP:
    #
    http.port: 9200
    #
    # For more information, consult the network module documentation.
    #
    # --------------------------------- Discovery ----------------------------------
    #
    # Pass an initial list of hosts to perform discovery when this node is started:
    # The default list of hosts is ["127.0.0.1", "[::1]"]
    #
    discovery.seed_hosts: ["elk-pp-01.com","elk-pp-02.com","elk-pp-03.com"]
    #discovery.seed_hosts: ["elk-pp-01.com","elk-pre-02.com"]

    #
    # Bootstrap the cluster using an initial set of master-eligible nodes:
    #
    cluster.initial_master_nodes: ["elk-pp-01.com","elk-pp-02.com"]
    #
    # For more information, consult the discovery and cluster formation module documentation.
    #
    # ---------------------------------- Gateway -----------------------------------
    #
    # Block initial recovery after a full cluster restart until N nodes are started:
    #
    #gateway.recover_after_nodes: 3
    #
    # For more information, consult the gateway module documentation.
    #
    # ---------------------------------- Various -----------------------------------
    #
    # Require explicit names when deleting indices:
    #
    #action.destructive_requires_name: true

    #xpack.security.enabled: true
    #xpack.security.transport.ssl.enabled: true
    #xpack.security.transport.ssl.verification_mode: full
    #xpack.security.transport.ssl.keystore.path: certificate-org.p12
    #xpack.security.transport.ssl.truststore.path: certificate-org.p12
    #xpack.security.http.ssl.enabled: true
    #xpack.security.http.ssl.keystore.path: "certificate-org.p12"


    xpack.security.enabled: true

    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.key: /etc/elasticsearch/elk-pre-01.key
    xpack.security.transport.ssl.certificate: /etc/elasticsearch/star_thiqah_sa.crt
    xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/DigiCertCA.crt"]


    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.supported_protocols: [TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]
    xpack.security.http.ssl.key: /etc/elasticsearch/elk-pre-01.key
    xpack.security.http.ssl.certificate: /etc/elasticsearch/star_thiqah_sa.crt
    xpack.security.http.ssl.client_authentication: optional
    xpack.security.http.ssl.certificate_authorities:  [ "/etc/elasticsearch/DigiCertCA.crt" ]
`

Please can you help me with what is going wrong or missing to setup kibana alert and actions

There is something here point-3
What version of the stack are you using ?
Are you able to access kibana using TLS, https://kibana-pp.com:5601 ?

Thank You @ylasri for your reply

i added the key but still it does not work .
xpack.security.encryptionKey: "dfghjkldcvbnmsdfghjryteuikdfvchy"

the elasticsearch cluster version is 7.8.0
the kibana version is i did not find the version but i think it is 7.8.0


yes i able to login

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.