Self-signed certificate in certificate chain

Hello there,

i've encountered a old/new problem since i updated my kibana to the newest version.

First of all my kibana.yml

server.port: 5601
server.publicBaseUrl: "htt.p://siteurl"
server.ssl.enabled: true
xpack.fleet.registryProxyUrl: "htt.p://myproxy"
server.ssl.keystore.path: "path/to/my/keystore"
server.ssl.keystore.password: ''
server.ssl.truststore.path: "path/to/my/keystore"
server.ssl.truststore.password: '
'
elasticsearch.ssl.keystore.path: "path/to/my/keystore"
elasticsearch.ssl.keystore.password: '*****'
elasticsearch.ssl.verificationMode: certificate
elasticsearch.ssl.certificateAuthorities: [ "/path/to/my/pemchain" ]

I get this error:

kibana[10448]: [2024-12-06T15:04:49.817+01:00][ERROR][plugins.fleet] Failed to fetch latest version of synthetics from registry: Error connecting to package registry: request to http.s://epr.elastic.co/search?package=synthetics&prerelease=true&kibana.version=8.16.1 failed, reason: self-signed certificate in certificate chain

In older versions you just had to add patch to the pemchain in "/usr/share/kibana/bin/kibana" like that:

NODE_EXTRA_CA_CERTS="/path/to/my/pemchain"

and it worked.
So whats the deal with the newest version?

Best regards.

push

Hi,

I have the same Problem in version 9.1

I have added the pemchaim to /usr/share/kibana/bin/kibana

(see last line)

#!/bin/sh
SCRIPT=$0

# SCRIPT may be an arbitrarily deep series of symlinks. Loop until we have the concrete path.
while [ -h "$SCRIPT" ] ; do
  ls=$(ls -ld "$SCRIPT")
  # Drop everything prior to ->
  link=$(expr "$ls" : '.*-> \(.*\)$')
  if expr "$link" : '/.*' > /dev/null; then
    SCRIPT="$link"
  else
    SCRIPT=$(dirname "$SCRIPT")/"$link"
  fi
done

DIR="$(dirname "${SCRIPT}")/.."
CONFIG_DIR=${KBN_PATH_CONF:-"$DIR/config"}

test_node() {
  test -x "$NODE"
  if [ ! -x "$NODE" ]; then
    echo "unable to find usable node.js executable."
    exit 1
  fi
}

if [ -f "${CONFIG_DIR}/node.options" ]; then
  KBN_NODE_OPTS="$(grep -v ^# < ${CONFIG_DIR}/node.options | xargs)"
fi

NODE="${DIR}/node/glibc-217/bin/node"
test_node

# Enable capturing heap snapshots. See https://nodejs.org/api/cli.html#--heapsnapshot-signalsignal
# For now only on POSIX platforms, term signals work differently on Windows.
NODE_OPTIONS_HEAPSNAPSHOT_DEFAULT="${NODE_OPTIONS_HEAPSNAPSHOT_DEFAULT:---heapsnapshot-signal=SIGUSR2 --diagnostic-dir=$DIR/data}"

NODE_OPTIONS="--no-warnings --max-http-header-size=65536 $NODE_OPTIONS_HEAPSNAPSHOT_DEFAULT $KBN_NODE_OPTS $NODE_OPTIONS" NODE_ENV=production exec "${NODE}" "${DIR}/src/cli/dist" "${@}"
NODE_EXTRA_CA_CERTS="/etc/kibana/CA_Bundle_2024.pem"

After that I restarted kibana and elasticsearch …

The error remained:

Error connecting to package registry: request to https://epr.elastic.co/search?package=endpoint&prerelease=false&kibana.version=9.1.0&spec.min=2.3&spec.max=3.4 failed, reason: self-signed certificate in certificate chain"
{"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.11.0"},"@timestamp":"2025-08-07T09:41:13.008+02:00","message":"Failed to fetch latest version of synthetics from registry: Error connecting to package registry: request to https://epr.elastic.co/search?package=synthetics&prerelease=false&kibana.version=9.1.0&spec.min=2.3&spec.max=3.4 failed, reason: self-signed certificate in certificate chain","log":{"level":"ERROR","logger":"plugins.fleet"},"process":{"pid":30324,"uptime":47.262371184},"trace":{"id":"29410b255c452cc674ed55dc9066bbe4"},"transaction":{"id":"f392a7355955495e"}}
{"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.11.0"},"@timestamp":"2025-08-07T09:41:13.013+02:00","message":"Failed to fetch latest version of endpoint from registry: Error connecting to package registry: request to https://epr.elastic.co/search?package=endpoint&prerelease=false&kibana.version=9.1.0&spec.min=2.3&spec.max=3.4 failed, reason: self-signed certificate in certificate chain","log":{"level":"ERROR","logger":"plugins.fleet"},"process":{"pid":30324,"uptime":47.267121124},"trace":{"id":"29410b255c452cc674ed55dc9066bbe4"},"transaction":{"id":"f392a7355955495e"}} 

Fleet is not activated on the instance …

Thank you very much for a short feedback.

Best regards

EI

Hi @hyyWaVe

have you been able to solve the problem?

Thank you very much for a short confirmation.

Best regards

EI