[KIBANA] Xpack notification

Elastic Stack Kibana
1

Hi there,

I've just set the TLS cipher on my production elasticsearch cluster. I have I wathcer scheduled every morning to report a Kibana dashboard and send a pdf via email. Now after the TLS setting I have this error.

"actions": [
      {
        "id": "send_email",
        "type": "email",
        "status": "failure",
        "error": {
          "root_cause": [
            {
              "type": "s_s_l_handshake_exception",
              "reason": "sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
            }
          ],
          "type": "s_s_l_handshake_exception",
          "reason": "sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
          "caused_by": {
            "type": "validator_exception",
            "reason": "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
            "caused_by": {
              "type": "sun_cert_path_builder_exception",
              "reason": "unable to find valid certification path to requested target"
            }
          }
        }
      }
    ]
  }

This is my wathcer config

{
  "trigger": {
    "schedule": {
      "daily": {
        "at": [
          "06:30"
        ]
      }
    }
  },
  "input": {
    "none": {}
  },
  "condition": {
    "always": {}
  },
  "actions": {
    "send_email": {
      "email": {
        "profile": "standard",
        "attachments": {
          "error_report.pdf": {
            "reporting": {
              "url": "https://10.0.5.0:5601/api/reporting/generate/printablePdf?jobParams=[...]",
              "auth": {
                "basic": {
                  "username": "watcher",
                  "password": "elastic"
                }
              }
            }
          }
        },
        "to": [
          "control_room@enterprise.com"
        ],
        "subject": "Report applications errors",
        "body": {
          "html": "<p>Error report attached</p>"
        }
      }
    }
  }
}

This is my elasticsearch.yml.

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.transport.ssl.keystore.path: /Elastic/elasticsearch-6.7.1/config/certs/my_certs.pfx

xpack.security.transport.ssl.truststore.path: /Elastic/elasticsearch-6.7.1/config/certs/cacerts

xpack.security.transport.ssl.client_authentication: none

xpack.security.http.ssl.enabled: true

xpack.security.http.ssl.client_authentication: optional

xpack.security.http.ssl.verification_mode: certificate

xpack.security.http.ssl.keystore.path: /Elastic/elasticsearch-6.7.1/config/certs/my_certs.pfx

xpack.security.http.ssl.truststore.path: /Elastic/elasticsearch-6.7.1/config/certs/cacerts

All the comunication via https work fine, but this one doesn't. Anyone can help me?

2

Hi there!

It looks like the cert you're using on the Kibana instance is not trusted by your JVM configuration in Elasticsearch. It's possible that the certificate was signed by a CA that is not in your keystore on the JVM. Here's a good answer from StackOverflow on how to add a certificate to your keystore. You'll need to make sure that this cert exists on each Elasticsearch node in your cluster.

3

Thanks for the answer. In the truststore listed in my elasticsearch.yml the certificate is trusted, I'll try to add it into the java "cacerts" file e see if it works. Thank you again.

4

I've installed the certiicate in the java cacerts but nothing changed. The same error. Is there any other config I can try to see?

Thank you.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.