I think I might be missing something obvious but I am attempting to enable basic security on our Testing ELK Stack. enabling SSL on elasticsearch was successful. The certificate I am using is restricted to accept the following:
localhost
kibana.local
logstash.local
elastic.local
I have used certutil cert --ca {ca file path} --pem to create a certificate in pem format for Kibana and Logstash. The ca certificate does have a password.
I can connect using elastichead to this url and I can also connect using powershell
I have set the certificate settings in kibana.yml to
certificate (pem format) {filepath/instance.crt}
key {filepath/instance.key}
I have also created and added a kibana keystore for the credentials to connect to elasticsearch.
If I set the verification to None it connects ok but when using Certificate I get the error. This leads me to think it is a certificate issue but I don't know how to confirm suspicions.
If you set the verificationmode to none Kibana connects ok to Elasticsearch but when setting to certificate I see:
{"type":"log","@timestamp":"2019-08-27T23:56:24Z","tags":["warning","elasticsearch","admin"],"pid":11572,"message":"Unable to revive connection: https://127.0.0.1:9200/"}
{"type":"log","@timestamp":"2019-08-27T23:56:24Z","tags":["warning","elasticsearch","admin"],"pid":11572,"message":"No living connections"}
It could something really simple but I cannot see it
Ok so I am a bit further on now and I have encountered another error which seems to imply it is a java error. My Knowledge of Java is non existent and the error is: [2019-08-29T13:38:43,822][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://logstash_internal:xxxxxx@elastic.local:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [https://logstash_internal:xxxxxx@elastic.local:9200/][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
The self signed certificate is installed in the trusted on the local machine. If you know what is causing the issue and how to resolve let me know.
Thanks for the updates and I'm glad to see you're making progress. I will try to replicate the error you're seeing but it might take me a couple of days.
I have now managed to resolve the problem, To do this I browsed to the url in the error message: https://logstash_internal:xxxxxx@elastic.local:9200/ and exported the certificate and pointed the cacert to the exported certificate which resolved the issue.
The documentation I had that step missing.
Thanks for your assistance in getting this resolved
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.