Kibana throws error “unable to get issuer certificate” while connecting to ElasticSearch

ES is running in Linux on port 9200 and using firewall rules all incoming request to port 443 are redirected to port 9200 using below commands (It’s because only 443 connections are allowed to this server)

firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 9200
firewall-cmd --permanent --direct --add-rule ipv6 nat OUTPUT 1 -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 9200
firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 1 -p tcp -d 10.51.222.6 --dport 443 -j REDIRECT --to-ports 9200
firewall-cmd --permanent --direct --add-rule ipv6 nat PREROUTING 1 -p tcp -d 10.51.222.6 --dport 443 -j REDIRECT --to-ports 9200

SSl is enabled in ES and accessing ES from a browser as https://esalias.company.com works with not cert error. But Kibana throws error “unable to get issuer certificate” and kibana login screen is disabled with the message “Login is currently disabled..”

Kibana config is

--- 
elasticsearch.url: "https://esalias.company.com:443"
elasticsearch.username: elastic
elasticsearch.password: elastic

server.host: kibanaalias.company.com
server.name: kibanadev
server.port: 443
server.ssl.certificate: "C:\\kibana\\config\\certs\\certificate.pem"
server.ssl.enabled: true
server.ssl.key: "C:\\kibana\\config\\certs\\secret.key"
logging.dest: "C:\\kibana\\logs\\kibana.log"

The error I see in the log file is

"tags":["error","elasticsearch","admin"] Request error, retrying\nHEAD https://esalias.company.com/ => unable to get issuer certificate
"tags":["warning","elasticsearch","admin"],"pid":153552,"message":"Unable to revive connection: https://esalias.company.com/"}

And if I remove 443 from kibana config elasticsearch.url: "https://esalias.company.com", Kibana automatically appends the default port 9200 to the ES url while connecting and it fails with error message - connect ETIMEDOUT

I really appreciate any idea to fix this issue.

You might need to get the signer certificate for the issuer of your SSL cert and then add this line to kibana.yml:
elasticsearch.ssl.certificateAuthorities: [ "YOUR_PATH/YOUR_CA.crt" ]

I added the CA setting in kibana.yml. Now I see another error

"state":"red","message":"Status changed from yellow to red - [security_exception] current license is non-compliant for [security], with { license.expired.feature="security" }","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"

ES has a valid license. Kibana should also have a valid license to establish a connection to ES ?

Were you maybe using a trial license? If so, you might need to request an extension.

I have got a new trial license from elastic. Wondering how to apply when Kibana is down.

I tired the below command for my Kibana host
gc .\license.json | Invoke-WebRequest -uri http://kibanahost/_xpack/license -Credential elastic -Method Put -ContentType "application/json"

I get error
Invoke-WebRequest : {"statusCode":404,"error":"Not Found"}

That request should go against the elasticsearchhost, not the kibanahost.

Yes applying the license to ES and restarting Kibana fixed this issue. Thank you Bill.

Awesome, glad things are fixed.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.