I was Using Elastic Cloud On Kubernetes . So for my Elasticsearch and Kibana I want to use my own Certificates, But when provided the certificates I was getting issues like the Kibana not able to connect to Elasticsearch.
tls:
certificate:
secretName: <my-secret-name>
This is the configuration I did in both Kibana and Elasticsearch. Issues:
Unable to retrive version Informaion from Elasticsearch, unable to verify the first certificate
Yes the Elasticsearch contains all the three certificates like "ca.crt,tls.crt,tls.key".
Can you explain the setup in kibana to trust Elasticsearch CA, So that I can verify whether I have done correctly or not.
In my first comment I mentioned how I configured.
the secret my-secret-name has been correctly created using the following command: kubectl create secret generic my-secret-name --from-file=ca.crt=ca.crt --from-file=tls.crt=es-cert.crt --from-file=tls.key=es-cert-key.pem
ca.crt can be used to validate es-cert.crt
Then the operator should automatically make ca.crt available in the Kibana Pod, in the /usr/share/kibana/config/elasticsearch-certs/ca.crt file, which is used by Kibana to trust Elasticsearch.
Could you check that there is no error in the operator logs ?
Could you enter the Kibana Pod and use the following curl command: curl --cacert /usr/share/kibana/config/elasticsearch-certs/ca.crt -v https://clustername-es-http.namespace.svc:9200 ? If you have an error about curl not being able to verify the legitimacy of the server then it means that the CA certificate is either not the right one, or not updated by the operator.
I have created the secret just like how you mentioned in Elasticsearch.
But still the same issue :["error","savedobjects-service"],"pid":1215,"message":"Unable to retrieve version information from Elasticsearch nodes. unable to verify the first certificate"}
But one point I didnt understand you said operator automatically make ca.crt does this mean we dont have to configure anything to kibana?
I was passing ca.crt of Elasticsearch to kibana as follows: elasticsearch.ssl.certificateAuthorities: [ "/usr/share/kibana/config/elasticsearch-certs/ca.crt" ]
the operator error message is : "No internal CA certificate Secret found, creating a new one","service.version":"1.8.0+4f367c38","service.type":"eck","ecs.version":"1.4.0","owner_namespace":"vineeth","owner_name":"kibana","ca_type":"http"}
I have just followed how you said but still I was getting the same issue. ["error","savedobjects-service"],"pid":1215,"message":"Unable to retrieve version information from Elasticsearch nodes. unable to verify the first certificate"}
Could you provide both the manifests for Elasticsearch and Kibana, and also the output of the curl command in the Kibana pod as mentioned in my previous message ?
curl --cacert /usr/share/kibana/config/elasticsearch-certs/ca.crt -v https://clustername-es-http.namespace.svc:30040
* Rebuilt URL to: https://clustername-es-http.namespace.svc:30040/
* Trying 18.116.243.43...
* TCP_NODELAY set
* Connected to clustername-es-http.namespace.svc (18.116.243.43) port 30040 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /usr/share/kibana/config/elasticsearch-certs/ca.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I think the issue is clear, it is because of ca.crt but I have provided the exact ca.crt which I was using in Elasticsearch.
Could you please help me to debug and resolve the issue.
One question is the dns of the service like elastic-es-http.namespace.svc has to match the CN mentioned in the certificate ? @michael.morello@elasticfran
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.