Kibana throws error “unable to get issuer certificate” while connecting to ElasticSearch

jfreeman · February 15, 2018, 6:51am

ES is running in Linux on port 9200 and using firewall rules all incoming request to port 443 are redirected to port 9200 using below commands (It’s because only 443 connections are allowed to this server)

firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 9200
firewall-cmd --permanent --direct --add-rule ipv6 nat OUTPUT 1 -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 9200
firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 1 -p tcp -d 10.51.222.6 --dport 443 -j REDIRECT --to-ports 9200
firewall-cmd --permanent --direct --add-rule ipv6 nat PREROUTING 1 -p tcp -d 10.51.222.6 --dport 443 -j REDIRECT --to-ports 9200

SSl is enabled in ES and accessing ES from a browser as https://esalias.company.com works with not cert error. But Kibana throws error “unable to get issuer certificate” and kibana login screen is disabled with the message “Login is currently disabled..”

Kibana config is

--- 
elasticsearch.url: "https://esalias.company.com:443"
elasticsearch.username: elastic
elasticsearch.password: elastic

server.host: kibanaalias.company.com
server.name: kibanadev
server.port: 443
server.ssl.certificate: "C:\\kibana\\config\\certs\\certificate.pem"
server.ssl.enabled: true
server.ssl.key: "C:\\kibana\\config\\certs\\secret.key"
logging.dest: "C:\\kibana\\logs\\kibana.log"

The error I see in the log file is

"tags":["error","elasticsearch","admin"] Request error, retrying\nHEAD https://esalias.company.com/ => unable to get issuer certificate
"tags":["warning","elasticsearch","admin"],"pid":153552,"message":"Unable to revive connection: https://esalias.company.com/"}

And if I remove 443 from kibana config elasticsearch.url: "https://esalias.company.com", Kibana automatically appends the default port 9200 to the ES url while connecting and it fails with error message - connect ETIMEDOUT

I really appreciate any idea to fix this issue.

Bill_McConaghy · February 15, 2018, 5:19pm

You might need to get the signer certificate for the issuer of your SSL cert and then add this line to kibana.yml:
elasticsearch.ssl.certificateAuthorities: [ "YOUR_PATH/YOUR_CA.crt" ]

jfreeman · February 15, 2018, 5:33pm

I added the CA setting in kibana.yml. Now I see another error

"state":"red","message":"Status changed from yellow to red - [security_exception] current license is non-compliant for [security], with { license.expired.feature="security" }","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"

ES has a valid license. Kibana should also have a valid license to establish a connection to ES ?

Bill_McConaghy · February 15, 2018, 5:38pm

Were you maybe using a trial license? If so, you might need to request an extension.

jfreeman · February 15, 2018, 5:53pm

I have got a new trial license from elastic. Wondering how to apply when Kibana is down.

I tired the below command for my Kibana host
gc .\license.json | Invoke-WebRequest -uri http://kibanahost/_xpack/license -Credential elastic -Method Put -ContentType "application/json"

I get error
Invoke-WebRequest : {"statusCode":404,"error":"Not Found"}

Bill_McConaghy · February 15, 2018, 5:56pm

That request should go against the elasticsearchhost, not the kibanahost.

jfreeman · February 15, 2018, 6:05pm

Yes applying the license to ES and restarting Kibana fixed this issue. Thank you Bill.

Bill_McConaghy · February 15, 2018, 6:54pm

Awesome, glad things are fixed.

system · March 15, 2018, 6:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.