Currently attempting to configure mTLS between Elasticsearch & Kibana, but I am getting this error… (stack 9.3.0)
[2026-02-18T15:25:30,182][WARN ][o.e.h.AbstractHttpServerTransport] [testelastic.internal] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/10.0.1.251:9200, remoteAddress=/10.0.1.251:45016}
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: (certificate_required) Empty client certificate chain
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:515) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357) ~[?:?]
and on the Kibana side:
ecurity.authentication] Performing login attempt with "basic" provider.
ecurity.authentication] Login attempt with "basic" provider failed: C07C43A8977F0000:error:0A00045C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required:../deps/openssl/openssl/ssl/record/rec_layer_s3>
This is the CA relationship, I am testing right now on a single node running both items. I still intend to use a service token in the backend, but I want to have transport level communications be validated by mTLS.
[root@testelastic kibana]# openssl verify -CAfile=/etc/kibana/certs/es_ca.cert.pem /etc/elasticsearch/certs/es_fullchain.cert.pem
/etc/elasticsearch/certs/es_fullchain.cert.pem: OK
[root@testelastic kibana]# openssl verify -CAfile=/etc/elasticsearch/certs/kibana_ca.cert.pem /etc/kibana/certs/kibana.cert.pem
/etc/kibana/certs/kibana.cert.pem: OK
elasticsearch.yml:
# HTTP layer (Kibana, Agents, API)
xpack.security.http.ssl:
enabled: true
verification_mode: none #temporary as a part of debugging, still showing the issue
key: certs/es.key.pem
certificate: certs/es_fullchain.cert.pem
certificate_authorities:
- certs/es_ca.cert.pem
- certs/kibana_ca.cert.pem
- certs/es_fleet_ca.cert.pem
client_authentication: required
kibana.yml:
elasticsearch.hosts:
- "https://testelastic.internal:9200"
elasticsearch.ssl.certificate: /etc/kibana/certs/kibana.cert.pem
elasticsearch.ssl.key: /etc/kibana/certs/kibana.key.pem
elasticsearch.ssl.certificateAuthorities:
- /etc/kibana/certs/es_ca.cert.pem
elasticsearch.ssl.verificationMode: full
Connections are routing thru the system on the internal interface, with SANs for IPs and the domain name being used.
kibana.cert.pem:
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:testelastic.internal, IP Address:10.0.1.251
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
DA:0D:DC:6A:B1:04:73:2C:B5:0B:D7:D4:A4:97:30:00:46:DC:F3:FA
X509v3 Authority Key Identifier:
3B:F9:C9:D1:24:5B:65:6D:F2:1F:73:7E:C5:86:17:10:DE:35:43:CF
X509v3 Key Usage:
Digital Signature, Key Encipherment
elasticsearch.cert.pem:
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:testelastic.internal, IP Address:10.0.1.251
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
B8:77:40:07:A6:0D:93:F4:06:38:3B:6D:B4:FD:D4:E4:06:4F:BC:A2
X509v3 Authority Key Identifier:
B3:F9:90:07:A9:77:D2:CC:56:FC:CB:5B:28:87:DB:90:FF:4F:D3:69
X509v3 Key Usage:
Digital Signature, Key Encipherment
Not sure what the issue is or what I am missing here - the certs are all valid, under the expected CAs, and their keys match up as well. Am I missing something, or is PKI realm a requirement to utilize mTLS for this? As far as I can tell, it seems like it’s simply not providing a certificate to Elasticsearch.