Kibana server is not ready yet, error : Unable to get issuer certificate

Florian-LB · August 30, 2022, 6:53am

Hello,

I’ve been struggling for some time with the SSL configuration of Kibana.
I need to set the elasticsearch.ssl.verificationMode on "full" or on "certificate" but Kibana is only working in "none".
When I start the service I get the following error :
“Unable to retrieve version information from Elasticsearch nodes. Unable to get issuer certificate.”

I must censor some parts of the configurations.
I change the certs for the ones from my company.
I’m working on the version 8.3.2
The system isn’t allowed to connect to the Internet for security reasons.
Here are the configuration of Elasticsearch and Kibana :

elasticsearch.yml :

cluster.name: "*******"
node.name: "*******-1"
path.data: /elk/elasticsearch/data
path.logs: /elk/elasticsearch/log
http.port: ****
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
  enabled: true
  keystore.path: /etc/elasticsearch/certs/http.p12
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
  truststore.path: /etc/elasticsearch/certs/*********.p12
cluster.initial_master_nodes: ["ELK"]
http.host: 0.0.0.0
xpack.monitoring.collection.enabled: true

kibana.yml :

server.port: ****
server.host: 0.0.0.0
server.name: *******
server.ssl.certificate: "/etc/kibana/certs/kibana-server.crt"
server.ssl.key: "/etc/kibana/certs/kibana-server.key"
server.ssl.enabled: true
elasticsearch.hosts: ["https://***.***.***.***:****"]
elasticsearch.serviceAccountToken: "*************************************"
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/certs/elasticsearch-ca.pem" ]
elasticsearch.ssl.verificationMode: full
logging.appenders.file.type: file
logging.appenders.file.fileName: /elk/kibana/log/kibana.log
logging.appenders.file.layout.type: json
logging.root.appenders: [default, file]
path.data: /elk/kibana/data
pid.file: /run/kibana/kibana.pid

I’m a bit new to Elastic especially to the SSL part so the solution to my problem might be simple but I don’t see it. I tried solutions from previous topics but they didn't work.

Thanks.

Yang_Wang · September 1, 2022, 1:38am

Your kibana is configured to trust

elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/certs/elasticsearch-ca.pem" ]

Is this the CA that is used to sign the following on the ES side

xpack.security.http.ssl:
  enabled: true
  keystore.path: /etc/elasticsearch/certs/http.p12

You said

I change the certs for the ones from my company.

So it is possible that you HTTP cert is not signed by the above CA and hence not trusted by Kibana.

Florian-LB · September 1, 2022, 6:47am

Yes, the CA was used to sign the http cert.

system · September 29, 2022, 6:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana SSL verification Trust Issues Kibana elastic-stack-security	20	6452	February 22, 2023
Unable to get issuer certificate Kibana	5	3654	March 14, 2018
Unable to retrieve version information from Elasticsearch nodes. unable to get issuer certificate Unable to retrieve version information from Elasticsearch nodes. unable to get issuer certificate Kibana	9	15899	November 4, 2022
Unable to get issuer certificate Kibana elastic-stack-security	5	515	September 9, 2022
Kibana <---> Elasticsearch integration with SSL enable Kibana elastic-stack-security , docker	6	486	September 16, 2022

Kibana server is not ready yet, error : Unable to get issuer certificate

Related topics