Kibana Failed to authenticate with host “https://<IP_Address>:9200”: “”

AlAnsari · February 14, 2024, 1:10pm

I've solved the errors for this issue that many others have had relative to not matching the host name and not verifying the first certificate by naturally adding the IP to the list of IPs generated in the instances.yml file as per the documentation (solves problem 1) and including the environment variable NODE_EXTRA_CA_CERTS=/usr/share/kibana/config/certs/ca/ca.crt to my docker composer (solves problem 2)

My issue is that Kibana still refuses to authenticate and configure my server but provides no error message (see title), just an empty string.

What follows is my docker compose code, minus the enterprise search container but that's moot for now since it depends on kibana which is not working to begin with:

  setup:
    container_name: elasticsearch-setup
    image: docker.elastic.co/elasticsearch/elasticsearch:8.11.3
    user: "0"
    networks:
      - elastic-network
    volumes:
      - elastic-certs:/usr/share/elasticsearch/config/certs
    command: >
      bash -c '
        if [ ! -f config/certs/ca.zip ]; then
          echo "Creating CA";
          bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip;
          unzip config/certs/ca.zip -d config/certs;
        fi;
        if [ ! -f certs/certs.zip ]; then
          echo "Creating certs";
          echo -ne \
          "instances:\n"\
          "  - name: es\n"\
          "    dns:\n"\
          "      - elasticsearch\n"\
          "      - localhost\n"\
          "      - ${DNSNAME}\n"\
          "    ip:\n"\
          "      - 127.0.0.1\n"\
          "      - ${IPADDRESS}\n"\
          > config/certs/instances.yml;
          bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key;
          unzip config/certs/certs.zip -d config/certs;
        fi;
        echo "Setting file permissions"
        chown -R root:root config/certs;
        find . -type d -exec chmod 750 \{\} \;;
        find . -type f -exec chmod 640 \{\} \;;
        echo "Waiting for Elasticsearch availability"
        until curl -s --cacert config/certs/ca/ca.crt https://elasticsearch:9200 | grep -q "missing authentication credentials"; do sleep 10; done
        echo "Elasticsearch is available"
        echo "Setting kibana_system password"
        until curl -s -X POST --cacert config/certs/ca/ca.crt -u "elastic:${ELASTICPASS}" -H "Content-Type: application/json" https://elasticsearch:9200/_security/user/kibana_system/_password -d '{"password":"${KIBANAPASS}"}' | grep -q "200"; do sleep 10; done
        echo "Password for kibana_system is set"
        echo "All done!"
      '
    healthcheck:
      test: ["CMD-SHELL", "[ -f config/certs/elasticsearch/elasticsearch.crt ]"]
      interval: 1s
      timeout: 5s
      retries: 10
      
  elasticsearch:
    container_name: elasticsearch
    depends_on:
      setup:
        condition: service_healthy
    image: docker.elastic.co/elasticsearch/elasticsearch:8.11.3
    user: "1000:0"
    networks:
      - elastic-network
    volumes:
      - elastic-certs:/usr/share/elasticsearch/config/certs
      - elastic-search-data:/usr/share/elasticsearch/data
    ports:
      - "9200:9200"
    environment:
      - logger.discovery.level=debug
      - node.name=elasticsearch
      - cluster.name=${CLUSTERNAME}
      - cluster.initial_master_nodes=elasticsearch
      - bootstrap.memory_lock=true
      - xpack.security.enabled=true
      - xpack.security.enrollment.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.key=certs/elasticsearch/elasticsearch.key
      - xpack.security.http.ssl.certificate=certs/elasticsearch/elasticsearch.crt
      - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
      - xpack.security.http.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.key=certs/elasticsearch/elasticsearch.key
      - xpack.security.transport.ssl.certificate=certs/elasticsearch/elasticsearch.crt
      - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.license.self_generated.type=trial
      - ES_JAVA_OPTS=-Xms16g -Xmx16g
      - ELASTIC_PASSWORD=${ELASTICPASS}
    ulimits:
      memlock:
        soft: -1
        hard: -1
    healthcheck:
      test: ["CMD-SHELL", "curl -s --cacert config/certs/ca/ca.crt https://elasticsearch:9200 | grep -q 'missing authentication credentials'"]
      interval: 10s
      timeout: 10s
      retries: 10
    restart: unless-stopped

  kibana:
    container_name: kibana
    depends_on:
      elasticsearch:
        condition: service_healthy
    image: docker.elastic.co/kibana/kibana:8.11.3
    user: "1000:0"
    networks:
      - elastic-network
    volumes:
      - elastic-certs:/usr/share/kibana/config/certs
      - kibana-data:/usr/share/kibana/data
    ports:
      - "5601:5601"
    environment:
      - logging.root.level=trace
      - server.name=kibana
      - enterprisesearch.host=http://enterprisesearch:3002
      - elasticsearch.hosts=https://elasticsearch:9200
      - elasticsearch.username=kibana_system
      - elasticsearch.password=${KIBANAPASS}
      - elasticsearch.ssl.certificateAuthorities=/usr/share/kibana/config/certs/ca/ca.crt 
      - xpack.security.encryptionKey=${SECURITYKEY}
      - xpack.encryptedSavedObjects.encryptionKey=${OBJECTSKEY}
      - xpack.reporting.encryptionKey=${REPORTINGKEY}
      - xpack.reporting.kibanaServer.hostname=kibana
      - xpack.reporting.kibanaServer.protocol=https
      - NODE_EXTRA_CA_CERTS=/usr/share/kibana/config/certs/ca/ca.crt
    healthcheck:
      test: ["CMD-SHELL", "curl -s -I --cacert config/certs/ca/ca.crt https://kibana:5601 | grep -q 'HTTP/1.1 302 Found'"]
      interval: 10s
      timeout: 10s
      retries: 10
    restart: unless-stopped

For reference: when i ran the default/test code for setting up a stack with enterprise search (with a simple copy paste and .env definition) from the elastic enterprise search 8.11 docker docs guide for setting it up, the stack worked fine and kibana connected.

This customisation is erroenous somewhere and with a blank error message im stuck without a clear way forward.

I should note that if I attempt to use curl and openssl directly from within the failed kibana container, it can connect and the ssl does verify. the consistent issue seems to be http requests that elastic is picking up when it expects https.

The openssl message says its likely http/0.9, and the elasticsearch container itself continuously logs that it receives a plaintext http request from kibana on an https port.

i have no yaml files or configuration files in my docker-compose build group. only a docker-compose.yml file and a .env file containing the interpolated variables

AlAnsari · February 28, 2024, 10:18am

An updated compose file:

version: '3.8'

networks:
  elastic-network:
    driver: bridge

volumes:
  elastic-search-data:
    driver: local
  elastic-certs:
    driver: local
  kibana-data:
    driver: local
  enterprise-search-data:
    driver: local
    
services:
  setup:
    container_name: elasticsearch-setup
    image: docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION}
    user: "0"
    networks:
      - elastic-network
    volumes:
      - elastic-certs:/usr/share/elasticsearch/config/certs
    command: |
      bash -c '
      if [ "x${ELASTIC_PASSWORD}" == "x" ]; then
        echo "Set the ELASTIC_PASSWORD environment variable in the .env file";
        exit 1;
      elif [ "x${KIBANA_PASSWORD}" == "x" ]; then
        echo "Set the KIBANA_PASSWORD environment variable in the .env file";
        exit 1;
      fi;
      if [ ! -f config/certs/ca.zip ]; then
        echo "Creating CA";
        bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip;
        unzip config/certs/ca.zip -d config/certs;
      fi;
      if [ ! -f certs/certs.zip ]; then
        echo "Creating certs";
        echo -ne \
        "instances:\n"\
        "  - name: elasticsearch\n"\
        "    dns:\n"\
        "      - elasticsearch\n"\
        "      - localhost\n"\
        "      - ${DNS_NAME}\n"\
        "    ip:\n"\
        "      - 127.0.0.1\n"\
        "      - ${IP_NAME}\n"\
        > config/certs/instances.yml;
        bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key;
        unzip config/certs/certs.zip -d config/certs;
      fi;
      echo "Setting file permissions";
      chown -R root:root config/certs;
      find . -type d -exec chmod 750 \{\} \;;
      find . -type f -exec chmod 640 \{\} \;;
      echo "Waiting for Elasticsearch availability";
      until curl -s --cacert config/certs/ca/ca.crt https://elasticsearch:${ES_PORT} | grep -q "missing authentication credentials"; do sleep 10; done;
      echo "Elasticsearch is available";
      echo "Setting kibana_system password";
      until curl -s -X POST --cacert config/certs/ca/ca.crt -u "elastic:${ELASTIC_PASSWORD}" -H "Content-Type: application/json" https://elasticsearch:${ES_PORT}/_security/user/kibana_system/_password -d '{"password":"${KIBANA_PASSWORD}"}' | grep -q "^{}"; do sleep 10; done;
      echo "Password for kibana_system is set";
      echo "All done!";
      '
    healthcheck:
      test: ["CMD-SHELL", "[ -f config/certs/elasticsearch/elasticsearch.crt ]"]
      interval: 1s
      timeout: 5s
      retries: 10
      
  elasticsearch:
    container_name: elasticsearch
    depends_on:
      setup:
        condition: service_healthy
    image: docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION}
    user: "1000:0"
    networks:
      - elastic-network
    volumes:
      - elastic-certs:/usr/share/elasticsearch/config/certs
      - elastic-search-data:/usr/share/elasticsearch/data
    ports:
      - "${ES_PORT}:9200"
    environment:
      - node.name=elasticsearch
      - cluster.name=${ES_CLUSTER_NAME}
      - cluster.initial_master_nodes=elasticsearch
      - bootstrap.memory_lock=true
      - xpack.security.enabled=true
      - xpack.security.enrollment.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.key=certs/elasticsearch/elasticsearch.key
      - xpack.security.http.ssl.certificate=certs/elasticsearch/elasticsearch.crt
      - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
      - xpack.security.http.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.key=certs/elasticsearch/elasticsearch.key
      - xpack.security.transport.ssl.certificate=certs/elasticsearch/elasticsearch.crt
      - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.license.self_generated.type=${LICENSE}
      - ES_JAVA_OPTS=-Xms16g -Xmx16g
      - ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
    ulimits:
      memlock:
        soft: -1
        hard: -1
    healthcheck:
      test: ["CMD-SHELL", "curl -s --cacert config/certs/ca/ca.crt https://elasticsearch:${ES_PORT} | grep -q 'missing authentication credentials'"]
      interval: 10s
      timeout: 10s
      retries: 10
    restart: unless-stopped

  kibana:
    container_name: kibana
    depends_on:
      elasticsearch:
        condition: service_healthy
    image: docker.elastic.co/kibana/kibana:${ELASTIC_VERSION}
    user: "1000:0"
    networks:
      - elastic-network
    volumes:
      - elastic-certs:/usr/share/kibana/config/certs
      - kibana-data:/usr/share/kibana/data
    ports:
      - "${KIB_PORT}:5601"
    environment:
      - server.name=kibana
      - enterprisesearch.host=https://enterprisesearch:${ENTS_PORT}
      - elasticsearch.hosts=https://elasticsearch:${ES_PORT},https://${IP_NAME}:${ES_PORT}
      - elasticsearch.username=kibana_system
      - elasticsearch.password=${KIBANA_PASSWORD}
      - elasticsearch.ssl.certificateAuthorities=/usr/share/kibana/config/certs/ca/ca.crt
      - NODE_EXTRA_CA_CERTS=/usr/share/kibana/config/certs/ca/ca.crt
      - xpack.security.encryptionKey=${SECURITY_KEY}
      - xpack.encryptedSavedObjects.encryptionKey=${OBJECTS_KEY}
      - xpack.reporting.encryptionKey=${REPORTING_KEY}
      - xpack.reporting.kibanaServer.hostname=kibana
      - xpack.reporting.kibanaServer.protocol=https
    healthcheck:
      test: ["CMD-SHELL", "curl -s -I --cacert config/certs/ca/ca.crt https://kibana:${KIB_PORT} | grep -q 'HTTP/1.1 302 Found'"]
      interval: 10s
      timeout: 10s
      retries: 10
    restart: unless-stopped

  enterprisesearch:
    container_name: enterprisesearch
    depends_on:
      elasticsearch:
        condition: service_healthy
      kibana:
        condition: service_healthy
    image: docker.elastic.co/enterprise-search/enterprise-search:${ELASTIC_VERSION}
    networks:
      - elastic-network
    volumes:
      - elastic-certs:/usr/share/enterprise-search/config/certs
      - enterprise-search-data:/usr/share/enterprise-search/config
    ports:
      - 3002:3002
    environment:
      - ES_JAVA_OPTS=-Xms16g -Xmx16g
      - SERVERNAME=enterprisesearch
      - secret_management.encryption_keys=${ENCRYPTION_KEYS}
      - allow_es_settings_modification=true
      - elasticsearch.host=https://elasticsearch:${ES_PORT}
      - elasticsearch.username=elastic
      - elasticsearch.password=${ELASTIC_PASSWORD}
      - elasticsearch.ssl.enabled=true
      - elasticsearch.ssl.certificate_authority=/usr/share/enterprise-search/config/certs/ca/ca.crt
      - kibana.external_url=https://kibana:${KIB_PORT}
    healthcheck:
      test:
        [
            "CMD-SHELL",
            "curl -s -I https://enterprisesearch:${ENTS_PORT} | grep -q 'HTTP/1.1 302 Found'",
        ]
      interval: 10s
      timeout: 10s
      retries: 120
    restart: unless-stopped

When this compose runs, I end up with Kibana logging the title message as its error. The last 3 lines of the logs are:

i Kibana has not been configured.
Go to http://0.0.0.0:5601/?code=271143 to get started.
[2024-02-28T09:59:29.471+00:00][ERROR][plugins.interactiveSetup.elasticsearch] Failed to authenticate with host "https://<IP_Address>:9200": ""

If I modify the docker composer for the Kibana service such that the variables are defined in their capitalized form (to line up more exactly with the guide), Kibana fails to start and shuts down immediately:

[2024-02-28T10:08:22.716+00:00][INFO ][root] Kibana is starting
[2024-02-28T10:08:22.774+00:00][INFO ][node] Kibana process configured with roles: [background_tasks, ui]
[2024-02-28T10:08:32.268+00:00][INFO ][plugins-service] Plugin "cloudChat" is disabled.
[2024-02-28T10:08:32.273+00:00][INFO ][plugins-service] Plugin "cloudExperiments" is disabled.
[2024-02-28T10:08:32.273+00:00][INFO ][plugins-service] Plugin "cloudFullStory" is disabled.
[2024-02-28T10:08:32.273+00:00][INFO ][plugins-service] Plugin "cloudGainsight" is disabled.
[2024-02-28T10:08:32.393+00:00][INFO ][plugins-service] Plugin "profilingDataAccess" is disabled.
[2024-02-28T10:08:32.393+00:00][INFO ][plugins-service] Plugin "profiling" is disabled.
[2024-02-28T10:08:32.436+00:00][INFO ][plugins-service] Plugin "securitySolutionServerless" is disabled.
[2024-02-28T10:08:32.436+00:00][INFO ][plugins-service] Plugin "serverless" is disabled.
[2024-02-28T10:08:32.437+00:00][INFO ][plugins-service] Plugin "serverlessObservability" is disabled.
[2024-02-28T10:08:32.437+00:00][INFO ][plugins-service] Plugin "serverlessSearch" is disabled.
[2024-02-28T10:08:32.575+00:00][INFO ][root] Kibana is shutting down
[2024-02-28T10:08:32.576+00:00][FATAL][root] Reason: [config validation of [elasticsearch].hosts]: types that failed validation:
- [config validation of [elasticsearch].hosts.0]: expected URI with scheme [http|https].
- [config validation of [elasticsearch].hosts.1]: could not parse array value from json input
Error: [config validation of [elasticsearch].hosts]: types that failed validation:
- [config validation of [elasticsearch].hosts.0]: expected URI with scheme [http|https].
- [config validation of [elasticsearch].hosts.1]: could not parse array value from json input
    at ensureValidConfiguration (/usr/share/kibana/node_modules/@kbn/core-config-server-internal/src/ensure_valid_configuration.js:23:11)
    at Server.preboot (/usr/share/kibana/node_modules/@kbn/core-root-server-internal/src/server.js:162:5)
    at Root.preboot (/usr/share/kibana/node_modules/@kbn/core-root-server-internal/src/root/index.js:47:14)
    at bootstrap (/usr/share/kibana/node_modules/@kbn/core-root-server-internal/src/bootstrap.js:97:9)
    at Command.<anonymous> (/usr/share/kibana/src/cli/serve/serve.js:211:5)

 FATAL  Error: [config validation of [elasticsearch].hosts]: types that failed validation:
- [config validation of [elasticsearch].hosts.0]: expected URI with scheme [http|https].
- [config validation of [elasticsearch].hosts.1]: could not parse array value from json input

for reference, here is the updates Kibana setup which produces the previous error:

  kibana:
    container_name: kibana
    depends_on:
      elasticsearch:
        condition: service_healthy
    image: docker.elastic.co/kibana/kibana:${ELASTIC_VERSION}
    user: "1000:0"
    networks:
      - elastic-network
    volumes:
      - elastic-certs:/usr/share/kibana/config/certs
      - kibana-data:/usr/share/kibana/data
    ports:
      - "${KIB_PORT}:5601"
    environment:
      - SERVERNAME=kibana
      - ENTERPRISESEARCH_HOST=https://enterprisesearch:${ENTS_PORT}
      - ELASTICSEARCH_HOSTS=https://elasticsearch:${ES_PORT},https://${IP_NAME}:${ES_PORT}
      - ELASTICSEARCH_USERNAME=kibana_system
      - ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}
      - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=/usr/share/kibana/config/certs/ca/ca.crt
      - NODE_EXTRA_CA_CERTS=/usr/share/kibana/config/certs/ca/ca.crt
      - xpack.security.encryptionKey=${SECURITY_KEY}
      - xpack.encryptedSavedObjects.encryptionKey=${OBJECTS_KEY}
      - xpack.reporting.encryptionKey=${REPORTING_KEY}
      - xpack.reporting.kibanaServer.hostname=kibana
      - xpack.reporting.kibanaServer.protocol=https
    healthcheck:
      test: ["CMD-SHELL", "curl -s -I --cacert config/certs/ca/ca.crt https://kibana:${KIB_PORT} | grep -q 'HTTP/1.1 302 Found'"]
      interval: 10s
      timeout: 10s
      retries: 10
    restart: unless-stopped

I am not sure if this means that lowercase definitions are deprecated for Kibana use, or if the uppercase definitions are not parsed properly to configure kibana, or if I've made a mistake in the composition somewhere, or if something else is going on.

It does appear however that configuration is the source of the issue or at the very least is adjacent to it.

I should note that I do not use a "Kibana.yml" supplementary file to define environment variables, I try to set those directly via docker. But regardless of kabana.yml (lower or uppercase variables) the server does not function or pass the healthcheck. In the cases where I did try the Kibana.yml approach, I mounted the file using ./kibana.yml:/usr/share/kibana/config/kibana.yml in the volumes directive and ensured the yml files for kibana config and the docker compose were in the same directory.

rtwolfe94022 · March 1, 2024, 6:28pm

Your issue likely stems from an SSL/TLS configuration mismatch or misinterpretation between Kibana and Elasticsearch, indicated by the error about receiving plaintext HTTP requests on an HTTPS port. To troubleshoot:

Double-check SSL/TLS certificate paths and configurations in both Kibana and Elasticsearch to ensure they correctly reference and access the necessary files.
Increase logging levels for more detailed diagnostics in both services.
Verify environment variables and paths in your Docker compose, especially those related to SSL, to ensure they're correctly set and accessible within containers.
Simplify your setup to the minimal configuration that still uses SSL/TLS for connections, which might help isolate the issue.
Review Elasticsearch logs for any additional clues on why it's interpreting Kibana's requests as plaintext.

Ensure all referenced files and environment variables are correctly defined and accessible within their respective containers.

stephenb · March 2, 2024, 5:15pm

Looks to me it's complaining about that line....

Why don't you try hardcoding a single value and see if that works and then work your way forward to what you want. Perhaps one of those host or IP environment variables is not set the way you think it is.

That value is technically an array and sometimes trying to pass multiple values in an environment. Variable is tricky.

I would try a single value first

system · March 30, 2024, 5:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.