Hi,
I'm working on encrypting a dev ELK 5.6 stack on CentOs 6. I have followed the documents and was able to issue certificates and got the communication set between two elasticsearch nodes and kibana. However, I see the following errors on my stack.
- Certificate error while accessing Kibana through web browser.
- Unable to curl the elasticsearch API (curl -X GET -v "https://IP:9201/_cluster/health" -u username)
Here's my kibana.yaml
# Kibana is served by a back end server. This setting specifies the port to use.
server.port: 5601
server.host: "IP"
# The Kibana server's name. This is used for display purposes.
server.name: "kibana-squad"
# The URL of the Elasticsearch instance to use for all your queries.
elasticsearch.url: "https://IP:9201"
# When this setting's value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host
# that connects to this Kibana instance.
elasticsearch.preserveHost: true
# Kibana uses an index in Elasticsearch to store saved searches, visualizations and
# dashboards. Kibana creates a new index if the index doesn't already exist.
kibana.index: ".kibana"
# The default application to load.
kibana.defaultAppId: "discover"
# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
elasticsearch.username: "elastic"
elasticsearch.password: "password"
# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/kibana.pem
server.ssl.key: /etc/kibana/certs/kibana.key
xpack.monitoring.elasticsearch.ssl.ca: /etc/kibana/ca.crt
# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files validate that your Elasticsearch backend uses the same key files.
elasticsearch.ssl.certificate: /etc/kibana/masterdir.pem
elasticsearch.ssl.key: /etc/kibana/masterdir.key
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/ca.pem" ]
###################################################################
elasticsearch.yaml
###################################################################
cluster.name: elastic-squad
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: master
node.attr.rack: rack1
#
# ----------------------------------- Paths ------------------------------------
#
#
network.host: IP
#
# Set a custom port for HTTP:
#
http.port: 9201
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when new node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
discovery.zen.ping.unicast.hosts: ["IP"]
#
# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
#
discovery.zen.minimum_master_nodes: 1
#
# For more information, consult the zen discovery module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#action.destructive_requires_name: true
node.max_local_storage_nodes: 3
bootstrap.system_call_filter: false
xpack.ssl.key: /etc/elasticsearch/x-pack/masterdir/masterdir.key
xpack.ssl.certificate: /etc/elasticsearch/x-pack/masterdir/masterdir.crt
xpack.ssl.certificate_authorities: [ "/etc/elasticsearch/x-pack/ca/ca.pem" ]
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
Errors:
[root@syeddev01 elasticsearch]# curl -X GET -v "https://IP:9201/_cluster/health" -u elastic
Enter host password for user 'elastic':
- About to connect() to IP port 9201 (#0)
- Trying IP... connected
- Connected to IP (IP) port 9201 (#0)
- Initializing NSS with certpath: sql:/etc/pki/nssdb
- CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none - Peer's certificate issuer is not recognized: 'CN=Elastic Certificate Tool Autogenerated CA'
- NSS error -8179
- Closing connection #0
- Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.