Need help with kibana ssl setup

Elastic Stack Kibana
1

I have a 3 master and 3 data nodes elastic cluster. To generate the elastic certs.
Step1:
/u01/app/elasticsearch/bin/elasticsearch-certutil cert -pem -multiple
Step2. Unzip and moved all the master and data nodes. it has generated certificate-bundle.zip, it has all the server certs, ca and ek-cspbt-master1, ek-cspbt-master2, folders etc.
Step3: To generare kibana config,
/u01/app/elasticsearch/bin/elasticsearch-certutil cert -name kibana-server -dns localhost,127.0.0.1,ek-cspbt-master1.dpapp1.oal.oraclevcn.com,ek-cspbt-master1

mv /u01/app/elasticsearch-7.6.2/kibana-server.p12 /u01/app/kibana/config/

When I restart kibana I am seeing below log.

{"type":"log","@timestamp":"2025-03-05T15:52:43Z","tags":["status","plugin:tagcloud@7.6.2","info"],"pid":3371,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2025-03-05T15:52:43Z","tags":["status","plugin:vega@7.6.2","info"],"pid":3371,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2025-03-05T15:52:43Z","tags":["reporting","browser-driver","warning"],"pid":3371,"message":"Enabling the Chromium sandbox provides an additional layer of protection."}
{"type":"log","@timestamp":"2025-03-05T15:52:44Z","tags":["reporting","warning"],"pid":3371,"message":"Generating a random key for xpack.reporting.encryptionKey. To prevent pending reports from failing on restart, please set xpack.reporting.encryptionKey in kibana.yml"}
{"type":"log","@timestamp":"2025-03-05T15:52:44Z","tags":["status","plugin:reporting@7.6.2","info"],"pid":3371,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2025-03-05T15:52:44Z","tags":["listening","info"],"pid":3371,"message":"Server running at https://0.0.0.0:5611/oalapp/kibana7"}
{"type":"log","@timestamp":"2025-03-05T15:52:44Z","tags":["info","http","server","Kibana"],"pid":3371,"message":"http server running at https://0.0.0.0:5611/oalapp/kibana7"}
{"type":"error","@timestamp":"2025-03-05T15:52:45Z","tags":["connection","client","error"],"pid":3371,"level":"error","error":{"message":"140298316523520:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 48\n","name":"Error","stack":"Error: 140298316523520:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 48\n"},"message":"140298316523520:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 48\n"}

kibana.yml

server.host: 0.0.0.0
server.port: 5611
server.basePath: "/oalapp/kibana7"
server.ssl.enabled: true
server.ssl.keystore.path: /u01/app/kibana/config/kibana-server.p12
server.ssl.keystore.password: ""
elasticsearch.ssl.certificateAuthorities: ["/u01/app/elasticsearch/config/jks/ca/ca.crt"]
elasticsearch.hosts: ["https://ek-cspbt-master1.dpapp1.oal.oraclevcn.com:9210"]
elasticsearch.username: "myuser"
elasticsearch.password: "mypassword"
elasticsearch.ssl.verificationMode: certificate
newsfeed.enabled: false
xpack.monitoring.ccs.enabled: false
server.rewriteBasePath: true

Tried curl with

curl -v -u kibana --cacert ca.crt https://ek-cspbt-master1.dpapp1.oal.oraclevcn.com:9210/_cluster/health?pretty
Enter host password for user 'kibana':
* About to connect() to ek-cspbt-master1.dpapp1.oal.oraclevcn.com port 9210 (#0)
*   Trying 10.3.161.188...
* Connected to ek-cspbt-master1.dpapp1.oal.oraclevcn.com (10.3.161.188) port 9210 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: ca.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* 	subject: CN=ek-cspbt-master1
* 	start date: Feb 25 06:14:07 2025 GMT
* 	expire date: Feb 25 06:14:07 2028 GMT
* 	common name: ek-cspbt-master1
* 	issuer: CN=Elastic Certificate Tool Autogenerated CA
* Server auth using Basic with user 'kibana'
> GET /_cluster/health?pretty HTTP/1.1
> Authorization: Basic a2liYW5hOmNzcGJ0MTIzIyM=
> User-Agent: curl/7.29.0
> Host: ek-cspbt-master1.dpapp1.oal.oraclevcn.com:9210
> Accept: */*
>
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 471
<
{
  "cluster_name" : "oci-es-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 6,
  "number_of_data_nodes" : 3,
  "active_primary_shards" : 139,
  "active_shards" : 279,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

curl -v -u elastic --cacert ca.crt https://ek-cspbt-master1.dpapp1.oal.oraclevcn.com:9210/_cluster/health?pretty
Enter host password for user 'elastic':
* About to connect() to ek-cspbt-master1.dpapp1.oal.oraclevcn.com port 9210 (#0)
*   Trying 10.3.161.188...
* Connected to ek-cspbt-master1.dpapp1.oal.oraclevcn.com (10.3.161.188) port 9210 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: ca.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* 	subject: CN=ek-cspbt-master1
* 	start date: Feb 25 06:14:07 2025 GMT
* 	expire date: Feb 25 06:14:07 2028 GMT
* 	common name: ek-cspbt-master1
* 	issuer: CN=Elastic Certificate Tool Autogenerated CA
* Server auth using Basic with user 'elastic'
> GET /_cluster/health?pretty HTTP/1.1
> Authorization: Basic ZWxhc3RpYzpjc3BidDEyMyMj
> User-Agent: curl/7.29.0
> Host: ek-cspbt-master1.dpapp1.oal.oraclevcn.com:9210
> Accept: */*
>
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 471
<
{
  "cluster_name" : "oci-es-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 6,
  "number_of_data_nodes" : 3,
  "active_primary_shards" : 139,
  "active_shards" : 279,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}
* Connection #0 to host ek-cspbt-master1.dpapp1.oal.oraclevcn.com left intact

Can someone help with this.

3

^^ @leandrojmp ^^ @RainTown Thanks