Kibana: Unable to retrieve version information from Elasticsearch nodes. error:0909006C:PEM

Hello,

When starting Kibana, the log shows, amongst other info's, this Error:
Unable to retrieve version information from Elasticsearch nodes. error:0909006C:PEM

I'm able to browse to https://172.1.1.50:5601, and the initial Elasticsearch logo appears loading, but then it goes to a "Kibana server is not ready yet message"

Versions:
Elasticsearch: 8(current)
Kibana: 8(current)

Kibana.log:

{"ecs":{"version":"8.0.0"},"@timestamp":"2022-03-02T08:48:05.501-08:00","message":"Plugin "metricsEntities" is disabled.","log":{"level":"INFO","logger":"plugins-service"},"process":{"pid":6905}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-03-02T08:48:05.589-08:00","message":"http server running at http://172.1.1.50:5601","log":{"level":"INFO","logger":"http.server.Preboot"},"process":{"pid":6905}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-03-02T08:48:05.630-08:00","message":"Setting up [1] plugins: [interactiveSetup]","log":{"level":"INFO","logger":"plugins-system.preboot"},"process":{"pid":6905}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-03-02T08:48:05.694-08:00","message":"The default mechanism for Reporting privileges will work differently in future versions, which will affect the behavior of this cluster. Set "xpack.reporting.roles.enabled" to "false" to adopt the future behavior before upgrading.","log":{"level":"WARN","logger":"config.deprecation"},"process":{"pid":6905}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-03-02T08:48:05.897-08:00","message":"Setting up [107] plugins: [translations,licensing,globalSearch,globalSearchProviders,features,licenseApiGuard,usageCollection,taskManager,telemetryCollectionManager,telemetryCollectionXpack,kibanaUsageCollection,share,embeddable,uiActionsEnhanced,screenshotMode,screenshotting,banners,telemetry,newsfeed,mapsEms,fieldFormats,expressions,dataViews,charts,esUiShared,bfetch,data,savedObjects,presentationUtil,expressionShape,expressionRevealImage,expressionRepeatImage,expressionMetric,expressionImage,customIntegrations,home,searchprofiler,painlessLab,grokdebugger,management,watcher,licenseManagement,advancedSettings,spaces,security,savedObjectsTagging,reporting,lists,ingestPipelines,fileUpload,encryptedSavedObjects,dataEnhanced,cloud,snapshotRestore,eventLog,actions,alerting,triggersActionsUi,transform,stackAlerts,ruleRegistry,visualizations,canvas,visTypeXy,visTypeVislib,visTypeVega,visTypeTimelion,visTypeTagcloud,visTypeTable,visTypePie,visTypeMetric,visTypeMarkdown,expressionTagcloud,expressionMetricVis,savedObjectsManagement,console,graph,fleet,indexManagement,remoteClusters,crossClusterReplication,indexLifecycleManagement,dashboard,maps,dashboardEnhanced,visualize,visTypeTimeseries,rollup,indexPatternFieldEditor,lens,cases,timelines,discover,osquery,observability,discoverEnhanced,dataVisualizer,ml,uptime,securitySolution,infra,upgradeAssistant,monitoring,logstash,enterpriseSearch,apm,indexPatternManagement]","log":{"level":"INFO","logger":"plugins-system.standard"},"process":{"pid":6905}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-03-02T08:48:05.921-08:00","message":"TaskManager is identified by the Kibana UUID: 46419608-6902-4ef7-82af-37686d5bd848","log":{"level":"INFO","logger":"plugins.taskManager"},"process":{"pid":6905}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-03-02T08:48:06.058-08:00","message":"Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.","log":{"level":"WARN","logger":"plugins.security.config"},"process":{"pid":6905}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-03-02T08:48:06.059-08:00","message":"Session cookies will be transmitted over insecure connections. This is not recommended.","log":{"level":"WARN","logger":"plugins.security.config"},"process":{"pid":6905}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-03-02T08:48:06.081-08:00","message":"Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.","log":{"level":"WARN","logger":"plugins.security.config"},"process":{"pid":6905}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-03-02T08:48:06.082-08:00","message":"Session cookies will be transmitted over insecure connections. This is not recommended.","log":{"level":"WARN","logger":"plugins.security.config"},"process":{"pid":6905}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-03-02T08:48:06.106-08:00","message":"Generating a random key for xpack.reporting.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.reporting.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.","log":{"level":"WARN","logger":"plugins.reporting.config"},"process":{"pid":6905}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-03-02T08:48:06.116-08:00","message":"Saved objects encryption key is not set. This will severely limit Kibana functionality. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.","log":{"level":"WARN","logger":"plugins.encryptedSavedObjects"},"process":{"pid":6905}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-03-02T08:48:06.132-08:00","message":"APIs are disabled because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.","log":{"level":"WARN","logger":"plugins.actions"},"process":{"pid":6905}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-03-02T08:48:06.145-08:00","message":"APIs are disabled because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.","log":{"level":"WARN","logger":"plugins.alerting"},"process":{"pid":6905}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-03-02T08:48:06.163-08:00","message":"Installing common resources shared between all indices","log":{"level":"INFO","logger":"plugins.ruleRegistry"},"process":{"pid":6905}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-03-02T08:48:06.780-08:00","message":"Chromium sandbox provides an additional layer of protection, but is not supported for Linux Debian 11 OS. Automatically setting 'xpack.screenshotting.capture.browser.chromium.disableSandbox: true'.","log":{"level":"WARN","logger":"plugins.screenshotting.config"},"process":{"pid":6905}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-03-02T08:48:06.827-08:00","message":"Unable to retrieve version information from Elasticsearch nodes. error:0909006C:PEM routines:get_name:no start line","log":{"level":"ERROR","logger":"elasticsearch-service"},"process":{"pid":6905}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-03-02T08:48:09.045-08:00","message":"Browser executable: /usr/share/kibana/x-pack/plugins/screenshotting/chromium/headless_shell-linux_x64/headless_shell","log":{"level":"INFO","logger":"plugins.screenshotting.chromium"},"process":{"pid":6905}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-03-02T08:48:09.046-08:00","message":"Enabling the Chromium sandbox provides an additional layer of protection.","log":{"level":"WARN","logger":"plugins.screenshotting.chromium"},"process":{"pid":6905}}

Kibana.yml:

server.port: 5601
server.host: "172.1.1.50"
server.publicBaseUrl: "https://elk-stack:5601"
elasticsearch.hosts: ["https://172.1.1.50:9200"]
elasticsearch.serviceAccountToken: "*****************"
elasticsearch.ssl.certificate: /etc/kibana/certs/http_ca.crt
elasticsearch.ssl.key: /etc/kibana/certs/http.p12
logging:
  appenders:
    file:
      type: file
      fileName: /var/log/kibana/kibana.log
      layout:
        type: json
  root:
    appenders:
      - default
      - file

I'm not sure if I setup the cert and key paths correctly? I'm using the ones Elasticsearch auto generated during the installation. I then copied the http_ca.crt, http.p12 and transport.p12 into the kibana/certs/ folder.

Elasticsearch.yml:

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch

network.host: 172.1.1.50
http.port: 9200

xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl: 
   enabled: true
   keystore.path: certs/http.p12
xpack.security.transport.ssl:
   enabled: true
   verification_mode: certificate
   keystore.path: certs/transport.p12
   truststore.path: certs/transport.p12

cluster.initial_master_nodes: ["elk-stack"]
http.host: [_local_, _site_]

Thanks for any help!

Hi,

I think you probably need to generate certificates with elasticsearch-certutil (more info at Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [8.0] | Elastic and also Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [8.0] | Elastic)

@jportner am I right here?

Cheers

Yes. Done. Thanks! :slight_smile:

Glad you sorted this out! I just wanted to add some information for anyone stumbling upon this.

You don’t have to manually setup TLS. You can definitely use the auto generated TLS configuration. You don’t need to copy any files around, kibana can configure itself with the enrollment process , see our docs here Install Kibana from archive on Linux or macOS | Kibana Guide [8.0] | Elastic

Technically yes, but I'd like to +1 to @ikakavas's answer below. Starting in 8.0, Kibana can be auto-configured using an enrollment token from ES. To trigger Kibana's Interactive Setup mode, you need to make sure that kibana.yml does not contain the following:

  1. Elasticsearch credentials (elasticsearch.serviceAccountToken, elasticsearch.username, or elasticsearch.password)
  2. Elasticsearch hostname (elasticsearch.hosts)

If you remove those, Kibana will enter Interactive Setup mode. Then you can follow the guide that @ikakavas posted above, which tells you to start Kibana, open it in your browser, and enter the enrollment token (and you can regenerate an enrollment token if you need to do that).

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.