Logstash unable to connect to Elasticsearch over https

HI All ,

We are trying to connect to elastic serach server from logstash, but it throws following error even after specifying the path to certificate , we have tried giving

We first tried using the following :

truststore => /xxxx/cacert
truststore_password => "XXXXX"

we also tried using :
cacert => "/path to/xxxx.cer"

And we are sure that cacerts has appropriate root certificate , when we run a java program using the same cacert it works without any errors.

PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors {:class=>"Manticore::ClientProtocolException", :level=>:error}
PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors {:class=>"Manticore::ClientProtocolException", :level=>:error}

input {
  kafka {
    topic_id => "logs"
    group_id => "logstashdevgroup"
   zk_connect => "10.203.91.61:8164"
  }
}
 
filter{
mutate{
  add_field => {
    "applicationName" => "%{[contextMap][applicationName]}"
  }
}
uuid{
   target => "documenteventId"
}
}
 
output {
 
if  [level] == "ERROR" or [level] == "WARN" or [level] == "FATAL" {
 
  elasticsearch {
     ssl => true
     cacert => /opt/xxx.cer
     hosts => "https://xxxxxxxx.com"
  }
 
  kafka {
    topic_id => "omega-error-logs"
    bootstrap_servers => "10.203.91.61:8165"
  }
 
}
 
else {
  elasticsearch {
      ssl => true
      cacert => /opt/xxx.cer
      hosts => "https://xxxxxx.com"
  }
}
 
 
}

Any help would be appreciated , we are blocked on this issue.

For the elasticsearch cluster, are you using a CA + an intermediate?

keytool -list -v -keystore file.jks

If so, you may need to import both into the truststore for logstash.

https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html#plugins-outputs-elasticsearch-truststore

Actually Our elasticsearch itself is not SSL enabled , but we have fronted Elastic search with an ELB in AWS environment . The ELB is configured with the a CA signed certificate.

So are you saying I need to add both the root certificate and then the Public certificate to the trust store ?

What happens if you curl that endpoint using --cacert [file]?

Thanks @jpcarey Its issue with the certificate