Kibana not trusting my elasticsearch/shield CA


(Bob) #1

I have Elasticsearch up an running with Shield and SSL using local authentication. The browser on my workstation trusts the site when I go to

I have updated the Kibana.yml file:
elasticsearch.url: "" /opt/elasticsearch/config/shield/Chain.pem (This is the certificate chain for my internal CA)

Kibana won't connect to Elasticsearch unless I add the:
elasticsearch.ssl.verify: false

What am I missing? What CA store is Kibana trying to use?

Thanks for any advice.

(Jay Modi) #2

Hi Bob,

You mentioned a cert chain, which implies you have more than a single cert in that file. I believe you need to specify each certificate separately due to the way node.js works. Something like: [ "/path/to/root.pem", "/path/to/intermediate.pem" ]


(Bob) #3

Yes. We do have a cert chain and your suggestion worked! Thanks!

(David F.) #4

I'm for example used my logstash-forwarder certificate :grin:

(Bob) #5

For logstash to elasticsearch over SSL, keep your CA certificate chain in ONE PEM file. Here is a sample from my logstash.conf file:

output {

    elasticsearch {
            hosts => [""]
            user => myuser
            password => mypassword
            ssl => true
            cacert => "/opt/logstash/etc/certs/MY_CA_Chain.pem"



(Bob) #6

It looks like Kibana 4.5.0 can now read a .pem file with multiple certs in the chain. No need to split the certs into an array.

(system) #7