Kibana server is not ready yet, error : Unable to get issuer certificate


I’ve been struggling for some time with the SSL configuration of Kibana.
I need to set the elasticsearch.ssl.verificationMode on "full" or on "certificate" but Kibana is only working in "none".
When I start the service I get the following error :
“Unable to retrieve version information from Elasticsearch nodes. Unable to get issuer certificate.”

I must censor some parts of the configurations.
I change the certs for the ones from my company.
I’m working on the version 8.3.2
The system isn’t allowed to connect to the Internet for security reasons.
Here are the configuration of Elasticsearch and Kibana :

elasticsearch.yml : "*******" "*******-1" /elk/elasticsearch/data
path.logs: /elk/elasticsearch/log
http.port: **** true true
  enabled: true
  keystore.path: /etc/elasticsearch/certs/http.p12
  enabled: true
  verification_mode: certificate
  keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
  truststore.path: /etc/elasticsearch/certs/*********.p12
cluster.initial_master_nodes: ["ELK"]
xpack.monitoring.collection.enabled: true

kibana.yml :

server.port: **** *******
server.ssl.certificate: "/etc/kibana/certs/kibana-server.crt"
server.ssl.key: "/etc/kibana/certs/kibana-server.key"
server.ssl.enabled: true
elasticsearch.hosts: ["https://***.***.***.***:****"]
elasticsearch.serviceAccountToken: "*************************************"
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/certs/elasticsearch-ca.pem" ]
elasticsearch.ssl.verificationMode: full
logging.appenders.file.type: file
logging.appenders.file.fileName: /elk/kibana/log/kibana.log
logging.appenders.file.layout.type: json
logging.root.appenders: [default, file] /elk/kibana/data
pid.file: /run/kibana/

I’m a bit new to Elastic especially to the SSL part so the solution to my problem might be simple but I don’t see it. I tried solutions from previous topics but they didn't work.


Your kibana is configured to trust

elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/certs/elasticsearch-ca.pem" ]

Is this the CA that is used to sign the following on the ES side
  enabled: true
  keystore.path: /etc/elasticsearch/certs/http.p12

You said

I change the certs for the ones from my company.

So it is possible that you HTTP cert is not signed by the above CA and hence not trusted by Kibana.

Yes, the CA was used to sign the http cert.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.