Kibana fleet - Error connecting to package registry

Zerobot · December 8, 2020, 8:56am

Hi!

Did anyone encounter a problem like this?

{"type":"log","@timestamp":"2020-12-08T08:52:46Z","tags":["error","plugins","ingestManager"],"pid":54293,"message":"Error connecting to package registry: request to https://epr.elastic.co/search?package=system&internal=true&experimental=true&kibana.version=7.10.0 failed, reason: self signed certificate in certificate chain"}

All my certs are signed by my company PKI and I'm also using a RootCA obtained directly from PKI.
SSL is working great, everything is green and it's showing certification path as it should via my browser + elasticsearch and kibana internal communication is also via SSL.

If I copy this EPR address directly into my browser it is working fine. I can also download from it via my machine (using wget for example).

blaker · December 8, 2020, 10:06pm

@Zerobot Does the server that is running Kibana have those same files? Because that error is from the Kibana server itself reaching out to get those files, it would not make that request from your local browser.

Zerobot · December 9, 2020, 7:13am

Sorry but I think I don't fully understand the question I've been trying to connect to the EPR directly from my Kibana machine. wget worked fine, I've just tried curl with certificates Kibana is using:

[root@xxxxxxxxxx: certs]# curl -k https://epr.elastic.co/search?package=system&internal=true&experimental=true&kibana.version=7.10.0 -v –key node_cert.key –cacert root.pem –cert node_cert.pem
[1] 90204
[2] 90205
[3] 90206
-bash: kibana.version=7.10.0: command not found
[2]-  Done                    internal=true
[3]+  Done                    experimental=true
[root@xxxxxxxxxx: certs]# [
  {
    "name": "system",
    "title": "System",
    "version": "0.9.1",
    "release": "beta",
    "description": "System Integration",
    "type": "integration",
    "download": "/epr/system/system-0.9.1.zip",
    "path": "/package/system/0.9.1",
    "icons": [
      {
        "src": "/img/system.svg",
        "path": "/package/system/0.9.1/img/system.svg",
        "title": "system",
        "size": "1000x1000",
        "type": "image/svg+xml"
      }
    ]
  }
]

It seems curl is also working fine while using my certificates.

ruflin · December 9, 2020, 12:09pm

Does your request go through a proxy?

Zerobot · December 9, 2020, 12:40pm

I have Nginx in front of Kibana but I guess that's not it. Nginx is just for listening on ports 80 and 443 and redirecting requests to Kibana on port 9999.

Is it possible that EPR is seeing my company's certificates signed by our PKI as self-signed?

blaker · December 9, 2020, 6:38pm

Being that your testing from the Kibana box and it works, I would expect it to work from Kibana as well.

@nchaulet Any ideas?

nchaulet · December 9, 2020, 7:09pm

I guess we are missing some options while doing our call from Kibana to EPR.
Can you try to add your company certificate authority to node, it's possible to do so by specifying the environment variable NODE_EXTRA_CA_CERTS while running Kibana?

Zerobot · December 9, 2020, 7:54pm

Thank you!
This indeed solved my problem. I've added variable:

NODE_EXTRA_CA_CERTS="/etc/kibana/root_ca_chain.pem"

into the /etc/default/kibana file on RHEL.

It works like a charm now Thanks again!

system · January 6, 2021, 7:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.