Kibana watcher error throwing SSL handshake even though CA is same for both Kibana & Elasticsearch. Here's the error:
Attaching the watcher definition as well.
"error" : {
"root_cause" : [
{
"type" : "s_s_l_handshake_exception",
"reason" : "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
}
],
"type" : "s_s_l_handshake_exception",
"reason" : "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
"caused_by" : {
"type" : "validator_exception",
"reason" : "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
"caused_by" : {
"type" : "sun_cert_path_builder_exception",
"reason" : "unable to find valid certification path to requested target"
}
}
}
The same watcher was working until last week, when we streamlined all the certificates to use for http & transport - to simplify the settings, used the certificate for transport same as http.
Elasticsearch.yml settings:
#Transport layer encryption (new changes)
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.certificate: /etc/elasticsearch/config/certs/company_signed.cer
xpack.security.transport.ssl.key: /etc/elasticsearch/config/certs/company_signedcer_key.pem
xpack.security.transport.ssl.certificate_authorities: /etc/elasticsearch/config/certs/company_Root.crt
# HTTP client encryption (same as existing)
xpack.security.http.ssl.enabled: true
xpack.http.ssl.verification_mode: certificate
xpack.security.http.ssl.certificate: /etc/elasticsearch/config/certs/company_signed.cer
xpack.security.http.ssl.key: /etc/elasticsearch/config/certs/company_signedcer_key.pem
xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/config/certs/company_Root.crt
Kibana.yml:
elasticsearch.hosts: ["https://xyz:9200"]
elasticsearch.ssl.certificateAuthorities: /etc/elasticsearch/config/certs/company_Root.crt
elasticsearch.ssl.verificationMode: certificate
...
...
server.ssl.enabled: true
server.ssl.certificate: /etc/elasticsearch/config/certs/company_signed.cer #same cert as used in elasticsearch.yml
server.ssl.key: /etc/elasticsearch/config/certs/company_signedcer_key.pem
server.ssl.certificateAuthorities: /etc/elasticsearch/config/certs/company_Root.crt
server.publicBaseUrl: https://logs-uat.com
Tried to search around before posting here, and came across these two links -
But both appears to be the case with different CA and so had to be added to elastic. In my case, however, the CA is same for the cert being used on Kibana & Elasticsearch. And that's where my confusion stems from. Not sure if the CA cert should be added in any other default truststore.
Please advise.