No living connections - "Unable to get local issuer certificate"

J7mbo · April 18, 2020, 3:54pm

The solution is:

Elasticsearch must use self-signed certificates (and CA) for both http options (api) and transport options (communication in the cluster). Generate this with the elasticsearch cert utility --dns elasticsearch.
Kibana must also use this self-signed certificate to talk to https://elasticsearch for ELASTICSEARCH_SSL vars.
Kibana http can use wildcard domain certs for the SERVER_SSL options, so https://kibana.mydomain.com works.

Now kibana can resolve https://elasticsearch because it's using the self-signed cert and can use verification mode full because of the --dns option.

As a result, the elasticsearch API can now only be private because it uses a self-signed cert (no valid https://elasticsearch.mydomain.com).

I'm okay with this, as I don't want elasticsearch publicly accessible on a domain name, but I can imagine it's a downside for others.

Topic		Replies	Views
Kibana <---> Elasticsearch integration with SSL enable Kibana elastic-stack-security , docker	6	699	September 16, 2022
Error in Kibana "xpack => unable to get local issuer certificate" Kibana elastic-stack-security	2	1173	October 19, 2020
Unable to connect Kibana to Elasticsearch Elasticsearch docker	6	533	September 22, 2023
Kibana cannot connect to Elasticsearch after enabling SSL/TLS Kibana elastic-stack-security , docker	18	6846	September 10, 2019
Kibana SSL verification Trust Issues Kibana elastic-stack-security	20	9365	February 22, 2023

No living connections - "Unable to get local issuer certificate"

Related topics