Lets Encrypt not working from console but does from firefox

Good Day All.

I have setup a 2-node cluster ith Elasticsearch and kibana.
I took me quite some time on how to get lets-encrypt real certs to work.
The cert now seems to be ok with kibana and Elasticsearch communication.

However, when I installed Metric beat on a server I got this error in the logs which then required me to do more testing

Error dialing x509: certificate signed by unknown authority","service.name":"metricbeat","network":"tcp","address":"elastic1.atstech.co.za:9200","ecs.version":"1.6.0"}

So I found this odd as when I got to https ://elastic1:9200 from firefox I see a verified cert

elastic788×533 31 KB

Then I ran this in curl.

curl -v https: /elastic1<canpoint a link here>:9200
*   Trying 102.141.211.65:9200...
* Connected to elastic1<cant point a link here> (102.141.211.65) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: 

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

So this makes no sense so I assume I'm doing something wrong.
Here is my section of config for the certs.

xpack.security.http.ssl:
  enabled: true
  verification_mode: certificate
  key: /etc/elasticsearch/ssl/elastic1.atstech.co.za/privkey1.pem
  certificate: /etc/elasticsearch/ssl/elastic1.atstech.co.za/cert1.pem
  #keystore.path: certs/http.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  key: /etc/elasticsearch/ssl/elastic1.atstech.co.za/privkey1.pem
  certificate: /etc/elasticsearch/ssl/elastic1.atstech.co.za/cert1.pem
  certificate_authorities: /etc/elasticsearch/ssl/elastic1.atstech.co.za/fullchain1.pem
  #keystore.path: certs/transport.p12
  #truststore.path: certs/transport.p12

And here are the steps I filled to generate the certs

snap install certbot --classic
certbot certonly -d elastic1.atstech.co.za

===
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/elastic1.atstech.co.za/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/elastic1.atstech.co.za/privkey.pem
===
#note the archive in belwo command

mkdir /etc/elasticsearch/ssl
rsync -avz /etc/letsencrypt/archive/elastic1.atstech.co.za /etc/elasticsearch/ssl/
chmod 750 /etc/elasticsearch/ssl/elastic1.atstech.co.za
chmod 640 /etc/elasticsearch/ssl/elastic1.atstech.co.za/*
chown -R root:elasticsearch /etc/elasticsearch/ssl/elastic1.atstech.co.za

mkdir /etc/kibana/ssl
rsync -avz /etc/letsencrypt/archive/elastic1.atstech.co.za /etc/kibana/ssl/
chmod 750 /etc/kibana/ssl/elastic1.atstech.co.za
chmod 640 /etc/kibana/ssl/elastic1.atstech.co.za/*
chown -R root:kibana /etc/kibana/ssl/elastic1.atstech.co.za

Any help would be greatly appreciated.
Regards

Please note that elastic1 all points correctly, however the create topic link doesn't allow me to type it here

I am not sure if you edited the curl....
But you should see the Subject Names and SANs do you?

# curl -v -u elastic https://elasticsearch.mydomain.net:9200
Enter host password for user 'elastic':
*   Trying 35.235.78.175:9200...
* TCP_NODELAY set
* Connected to elasticsearch.mydomain.net (35.235.78.175) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=kibana.mydomain.net
*  start date: Dec 11 05:31:33 2023 GMT
*  expire date: Mar 10 05:31:32 2024 GMT
*  subjectAltName: host "elasticsearch.mydomain.net" matched cert's "elasticsearch.mydomain.net"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Server auth using Basic with user 'elastic'
> GET / HTTP/1.1
> Host: elasticsearch.mydomain.net:9200
> Authorization: Basic asfdgasdfsdfasdfWdYY0ZUenZVbQ==
> User-Agent: curl/7.68.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< X-elastic-product: Elasticsearch
< content-type: application/json
< content-length: 542
< 
{
  "name" : "stephenb-es-8-test",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "BCwYFLXqQLu1THBiiV9oTw",
  "version" : {
    "number" : "8.11.1",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "6f9ff581fbcde658e6f69d6ce03050f060d1fd0c",
    "build_date" : "2023-11-11T10:05:59.421038163Z",
    "build_snapshot" : false,
    "lucene_version" : "9.8.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}
* Connection #0 to host elasticsearch.mydomain.net left intact

I also see this in yours

* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate

That needs to be the fullchain.pem I think you do not have the fullchain in there..

Also

* TLSv1.2 (OUT), TLS header, Unknown (21):

That is old(er) TLS...

certificate: /etc/elasticsearch/ssl/elastic1.atstech.co.za/cert1.pem

I suspect you do not have the fullchain in that cert.

I use Let's Encrypt

I use the TXT challenge method

sudo certbot certonly --agree-tos --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory -d  "elasticsearch.mydomain.net

which produces

fullchain.pem
privkey.pem

then my settings are

xpack.security.http.ssl:
  enabled: true
  certificate: certs/fullchain.pem 
  key: certs/privkey.pem

Thank you so much.
It did create the file but I was not pointing it correctly change to use fullcahin1.pem seems to have worked great thank you very much fr your help

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.