Kibana POD is in not ready after enabling the https traffic from Kiabna to Elasticsearch

ls4074 · September 24, 2021, 11:47pm

Hello,

I have enabled the http layer and transport layer (security basic setup plus https) on Elasticsearch. the ES master and data pods are all running fine. I then configured the values.yaml in Kibana helm chart with the following:
kibanaConfig:
kibana.yml: |
kibana:
Elasticsearch.ssl.certificateAuthorities: /usr/share/kibana/config/certs/elastic-ca.pem
secretMounts:
- name: elastic-ca-pem
secretName: elastic-ca-pem
path: /usr/share/kibana/config/certs/elastic-ca.pem

After restarting Kibana, the pod is in not ready state. the kibana.log shows:
{"type":"log","@timestamp":"2021-09-24T21:16:19+00:00","tags":["error","savedobjects-service"],"pid":952,"message":"Unable to retrieve version information from Elasticsearch nodes."}

Inside of Kibana pod, I can run curl against Elasticsearch without --cacert.

tysh-4.4$ crul -k -u elastic https://elasticsearch-master:9200
sh: crul: command not found
sh-4.4$ curl -k -u elastic https://elasticsearch-master:9200
Enter host password for user 'elastic':
{
  "name" : "elasticsearch-master-0",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "3vMs0RouRtWdD4tiT_wAWQ",
  "version" : {
    "number" : "7.13.2",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "4d960a0733be83dd2543ca018aa4ddc42e956800",
    "build_date" : "2021-06-10T21:01:55.251515791Z",
    "build_snapshot" : false,
    "lucene_version" : "8.8.2",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

If I specify --cacert, then got failure
sh-4.4$ curl --cacert ./elastic-stack-ca.pem -u elastic https://elasticsearch-master:9200
Enter host password for user 'elastic':
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Any thoughts why the Kibana pod is in NOT ready state?

azasypkin · October 18, 2021, 10:19am

Can you try to use lowercase elasticsearch.ssl.certificateAuthorities: ...? If it doesn't help, enabling verbose logs in Kibana can give us more debug info.

Best,
Oleg

system · November 15, 2021, 10:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.