Kibana to Elastic search communication is ending up with failure

Getting an error as ünable to get issuer certificate in kibana logs once after starting the service. I am using DigicertCA.crt file to communicate with mu Elastic server LB. Which is a SAN certificate. This is happening when verificationMode in Kibana as "certificate"or "full".

Hi @Deepaklal_KB,

Welcome to the community! It might be an issue with the signed certificate or configuration. I would recommend having a look at these issues and see if the fixes work for you:

  1. Kibana throws error “unable to get issuer certificate” while connecting to ElasticSearch
  2. Kibana server is not ready yet, error : Unable to get issuer certificate - #2 by Yang_Wang

If those don't help, can you share your Kibana configuration and let us know how you are running Elasticsearch with the LB (Elastic Cloud Enterprise or ECK operator for example).

1 Like

Hello @carly.richmond ,

No, both these solutions were not suitable in my case.
Kibana.yml is shared below, In my case I have a Elasticsearch load balancer which is distributing the load between 3 nodes. Kibana is hitting that particular LB.

This connection I ma try to encrypt. by changing verificationmode to "full" or"certificate". That time I am getting the mentioned error.

One more input is , by hitting below URL with same certificate I am getting "Green" status from ES.


curl -v -u kibana --cacert /etc/kibana/certs/DigiCertCA.crt -u username:password


# Kibana is served by a back end server. This setting specifies the port to use.
server.port: 5601

# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address. ""

# Enables you to specify a path to mount Kibana at if you are running behind a proxy.
# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
#server.basePath: ""

# Specifies whether Kibana should rewrite requests that are prefixed with
# `server.basePath` or require that they are rewritten by your reverse proxy.
# This setting was effectively always `false` before Kibana 6.3 and will
# default to `true` starting in Kibana 7.0.
#server.rewriteBasePath: false

# Specifies the public URL at which Kibana is available for end users. If
# `server.basePath` is configured this URL should end with the same basePath.
#server.publicBaseUrl: ""

# The maximum payload size in bytes for incoming server requests.
#server.maxPayload: 1048576

# The Kibana server's name.  This is used for display purposes. "your-hostname"

# The URLs of the Elasticsearch instances to use for all your queries.

elasticsearch.hosts: [""]

elasticsearch.username: ${elasticsearch.username}
elasticsearch.password: ${elasticsearch.password}

server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/deu-kibanalb_prod_db_com.crt
server.ssl.key: /etc/kibana/kibana.key #EditRequired

elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/elastic/DigiCertCA.crt" ] 

elasticsearch.ssl.verificationMode: full /data/kibana/lib/kibana

Note : Tried hitting one node of ES directly from Kibana.That also showing the same error.

Do you have any intermediary certificates in the chain that you need to specify? This Stack Overflow thread might help if so.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.