Socket error when starting kibana

Hello Team,

kindly advise why I am getting the following error when starting Kibana?

SSL generated using:
[elastic@rb-in-prod-kibana-01 Elasticsearch]$ ./bin/Elasticsearch-certutil http

## Elasticsearch HTTP Certificate Utility

The 'http' command guides you through the process of generating certificates

for use on the HTTP (Rest) interface for Elasticsearch.

This tool will ask you a number of questions in order to generate the right

set of files for your needs.

## Do you wish to generate a Certificate Signing Request (CSR)?

A CSR is used when you want your certificate to be created by an existing

Certificate Authority (CA) that you do not control (that is, you don't have

access to the keys for that CA).

If you are in a corporate environment with a central security team, then you

may have an existing Corporate CA that can generate your certificate for you.

Infrastructure within your organisation may already be configured to trust this

CA, so it may be easier for clients to connect to Elasticsearch if you use a

CSR and send that request to the team that controls your CA.

If you choose not to generate a CSR, this tool will generate a new certificate

for you. That certificate will be signed by a CA under your control. This is a

quick and easy way to secure your cluster with TLS, but you will need to

configure all your clients to trust that custom CA.

Generate a CSR? [y/N]n

## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?

If you have an existing CA certificate and key, then you can use that CA to

sign your new http certificate. This allows you to use the same CA across

multiple Elasticsearch clusters which can make it easier to configure clients,

and may be easier for you to manage.

If you do not have an existing CA, one will be generated for you.

Use an existing CA? [y/N]y

## What is the path to your CA?

Please enter the full pathname to the Certificate Authority that you wish to

use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS

(.jks) or PEM (.crt, .key, .pem) format.

CA Path: /tmp/elastic-stack-ca.p12

Reading a PKCS12 keystore requires a password.

It is possible for the keystore's password to be blank,

in which case you can simply press <ENTER> at the prompt

Password for elastic-stack-ca.p12:

## How long should your certificates be valid?

Every certificate has an expiry date. When the expiry date is reached clients

will stop trusting your certificate and TLS connections will fail.

Best practice suggests that you should either:

(a) set this to a short duration (90 - 120 days) and have automatic processes

to generate a new certificate before the old one expires, or

(b) set it to a longer duration (3 - 5 years) and then perform a manual update

a few months before it expires.

You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)

For how long should your certificate be valid? [5y] 7D

The period '7d' is less than the recommended period

Are you sure? [y/N]y

## Do you wish to generate one certificate per node?

If you have multiple nodes in your cluster, then you may choose to generate a

separate certificate for each of these nodes. Each certificate will have its

own private key, and will be issued for a specific hostname or IP address.

Alternatively, you may wish to generate a single certificate that is valid

across all the hostnames or addresses in your cluster.

If all of your nodes will be accessed through a single domain

(e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it

simpler to generate one certificate with a wildcard hostname (*.es.example.com)

and use that across all of your nodes.

However, if you do not have a common domain name, and you expect to add

additional nodes to your cluster in the future, then you should generate a

certificate per node so that you can more easily generate new certificates when

you provision new nodes.

Generate a certificate per node? [y/N]y

## What is the name of node #1?

This name will be used as part of the certificate file name, and as a

descriptive name within the certificate.

You can use any descriptive name that you like, but we recommend using the name

of the Elasticsearch node.

node #1 name: rb-in-prod-kibana-01

## Which hostnames will be used to connect to rb-in-prod-kibana-01?

These hostnames will be added as "DNS" names in the "Subject Alternative Name"

(SAN) field in your certificate.

You should list every hostname and variant that people will use to connect to

your cluster over http.

Do not list IP addresses here, you will be asked to enter them later.

If you wish to use a wildcard certificate (for example *.es.example.com) you

can enter that here.

Enter all the hostnames that you need, one per line.

When you are done, press <ENTER> once more to move on to the next step.

rb-in-prod-esearch-02

rb-in-prod-esearch-01

You entered the following hostnames.

- rb-in-prod-esearch-02

- rb-in-prod-esearch-01

Is this correct [Y/n]y

## Which IP addresses will be used to connect to rb-in-prod-kibana-01?

If your clients will ever connect to your nodes by numeric IP address, then you

can list these as valid IP "Subject Alternative Name" (SAN) fields in your

certificate.

If you do not have fixed IP addresses, or not wish to support direct IP access

to your cluster then you can just press <ENTER> to skip this step.

Enter all the IP addresses that you need, one per line.

When you are done, press <ENTER> once more to move on to the next step.

10.242.1.118

10.242.1.117

10.242.1.119

You entered the following IP addresses.

- 10.242.1.118

- 10.242.1.117

- 10.242.1.119

Is this correct [Y/n]y

## Other certificate options

The generated certificate will have the following additional configuration

values. These values have been selected based on a combination of the

information you have provided above and secure defaults. You should not need to

change these values unless you have specific requirements.

Key Name: rb-in-prod-kibana-01

Subject DN: CN=rb-in-prod-kibana-01

Key Size: 2048

Do you wish to change any of these options? [y/N]n

Generate additional certificates? [Y/n]n

## What password do you want for your private key(s)?

Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".

This type of keystore is always password protected, but it is possible to use a

blank password.

If you wish to use a blank password, simply press <enter> at the prompt below.

Provide a password for the "http.p12" file: [<ENTER> for none]

Repeat password to confirm:

## Where should we save the generated files?

A number of files will be generated including your private key(s),

public certificate(s), and sample configuration options for Elastic Stack products.

These files will be included in a single zip archive.


7.9 OS. Automatically setting 'xpack.screenshotting.capture.browser.chromium.disableSandbox: true'.","log":{"level":"WARN","logger":"plugins.screenshotting.config"},"process":{"pid":5770},"trace":{"id":"9a518bd8d3ae08be7cf0846ce9787b3a"},"transaction":{"id":"9563365a6bda3d93"}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-05-05T12:32:17.135+04:00","message":"Unable to retrieve version information from Elasticsearch nodes. socket hang up - Local: 10.242.1.117:49768, Remote: 10.242.1.117:9200","log":{"level":"ERROR","logger":"elasticsearch-service"},"process":{"pid":5770},"trace":{"id":"9a518bd8d3ae08be7cf0846ce9787b3a"},"transaction":{"id":"9563365a6bda3d93"}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-05-05T12:32:17.661+04:00","message":"Browser executable: /usr/share/kibana/x-pack/plugins/screenshotting/chromium/headless_shell-linux_x64/headless_shell","log":{"level":"INFO","logger":"plugins.screenshotting.chromium"},"process":{"pid":5770},"trace":{"id":"9a518bd8d3ae08be7cf0846ce9787b3a"},"transaction":{"id":"9563365a6bda3d93"}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-05-05T12:32:17.662+04:00","message":"Enabling the Chromium sandbox provides an additional layer of protection.","log":{"level":"WARN","logger":"plugins.screenshotting.chromium"},"process":{"pid":5770},"trace":{"id":"9a518bd8d3ae08be7cf0846ce9787b3a"},"transaction":{"id":"9563365a6bda3d93"}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-05-05T12:32:19.633+04:00","message":"Unable to retrieve version information from Elasticsearch nodes. socket hang up - Local: 10.242.1.117:49784, Remote: 10.242.1.117:9200","log":{"level":"ERROR","logger":"elasticsearch-service"},"process":{"pid":5770},"trace":{"id":"9a518bd8d3ae08be7cf0846ce9787b3a"},"transaction":{"id":"9563365a6bda3d93"}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-05-05T12:32:22.141+04:00","message":"Unable to retrieve version information from Elasticsearch nodes. socket hang up - Local: 10.242.1.117:49792, Remote: 10.242.1.117:9200","log":{"level":"ERROR","logger":"elasticsearch-service"},"process":{"pid":5770},"trace":{"id":"9a518bd8d3ae08be7cf0846ce9787b3a"},"transaction":{"id":"9563365a6bda3d93"}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-05-05T12:32:24.637+04:00","message":"Unable to retrieve version information from Elasticsearch nodes. socket hang up - Local: 10.242.1.117:49800, Remote: 10.242.1.117:9200","log":{"level":"ERROR","logger":"elasticsearch-service"},"process":{"pid":5770},"trace":{"id":"9a518bd8d3ae08be7cf0846ce9787b3a"},"transaction":{"id":"9563365a6bda3d93"}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-05-05T12:32:27.135+04:00","message":"Unable to retrieve version information from Elasticsearch nodes. socket hang up - Local: 10.242.1.117:49808, Remote: 10.242.1.117:9200","log":{"level":"ERROR","logger":"elasticsearch-service"},"process":{"pid":5770},"trace":{"id":"9a518bd8d3ae08be7cf0846ce9787b3a"},"transaction":{"id":"9563365a6bda3d93"}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-05-05T12:32:29.637+04:00","message":"Unable to retrieve version information from Elasticsearch nodes. socket hang up - Local: 10.242.1.117:49816, Remote: 10.242.1.117:9200","log":{"level":"ERROR","logger":"elasticsearch-service"},"process":{"pid":5770},"trace":{"id":"9a518bd8d3ae08be7cf0846ce9787b3a"},"transaction":{"id":"9563365a6bda3d93"}}
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-05-05T12:32:32.136+04:00","message":"Unable to retrieve version information from Elasticsearch nodes. socket hang up - Local: 10.242.1.117:49824, Remote: 10.242.1.117:9200","log":{"level":"ERROR","logger":"elasticsearch-service"},"process":{"pid":5770},"trace":{"id":"9a518bd8d3ae08be7cf0846ce9787b3a"},"transaction":{"id":"9563365a6bda3d93"}}

Thanks,

Roshan

Kibana.yml entry:


[elastic@rb-in-prod-kibana-01 elasticsearch]$ cat /etc/kibana/kibana.yml
# For more configuration options see the configuration guide for Kibana in
# https://www.elastic.co/guide/index.html

# =================== System: Kibana Server ===================
# Kibana is served by a back end server. This setting specifies the port to use.
#server.port: 5601

# Specifies the address to which the Kibana server will bind. IP addresses and h                                                                                                             ost names are both valid values.
# The default is 'localhost', which usually means remote machines will not be ab                                                                                                             le to connect.
# To allow connections from remote users, set this parameter to a non-loopback a                                                                                                             ddress.
#server.host: "localhost"

# Enables you to specify a path to mount Kibana at if you are running behind a p                                                                                                             roxy.
# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove th                                                                                                             e basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
#server.basePath: ""

# Specifies whether Kibana should rewrite requests that are prefixed with
# `server.basePath` or require that they are rewritten by your reverse proxy.
# Defaults to `false`.
#server.rewriteBasePath: false

# Specifies the public URL at which Kibana is available for end users. If
# `server.basePath` is configured this URL should end with the same basePath.
#server.publicBaseUrl: ""

# The maximum payload size in bytes for incoming server requests.
#server.maxPayload: 1048576

# The Kibana server's name. This is used for display purposes.
#server.name: "your-hostname"

# =================== System: Kibana Server (Optional) ===================
# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, res                                                                                                             pectively.
# These settings enable SSL for outgoing requests from the Kibana server to the                                                                                                              browser.
#server.ssl.enabled: false
#server.ssl.certificate: /path/to/your/server.crt
#server.ssl.key: /path/to/your/server.key

# =================== System: Elasticsearch ===================
# The URLs of the Elasticsearch instances to use for all your queries.
#elasticsearch.hosts: ["http://localhost:9200"]
elasticsearch.hosts: ["http://10.242.1.117:9200"]
# If your Elasticsearch is protected with basic authentication, these settings p                                                                                                             rovide
# the username and password that the Kibana server uses to perform maintenance o                                                                                                             n the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsea                                                                                                             rch, which
# is proxied through the Kibana server.
#elasticsearch.username: "kibana_system"
#elasticsearch.password: "pass"

# Kibana can also authenticate to Elasticsearch via "service account tokens".
# Service account tokens are Bearer style tokens that replace the traditional us                                                                                                             ername/password based configuration.
# Use this token instead of a username/password.
# elasticsearch.serviceAccountToken: "my_token"

# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults t                                                                                                             o the value of
# the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500

# Time in milliseconds to wait for responses from the back end or Elasticsearch.                                                                                                              This value
# must be a positive integer.
#elasticsearch.requestTimeout: 30000

# The maximum number of sockets that can be used for communications with elastic                                                                                                             search.
# Defaults to `Infinity`.
#elasticsearch.maxSockets: 1024

# Specifies whether Kibana should use compression for communications with elasti                                                                                                             csearch
# Defaults to `false`.
#elasticsearch.compression: false

# List of Kibana client-side headers to send to Elasticsearch. To send *no* clie                                                                                                             nt-side
# headers, set this value to [] (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]

# Header names and values that are sent to Elasticsearch. Any custom headers can                                                                                                             not be overwritten
# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelis                                                                                                             t configuration.
#elasticsearch.customHeaders: {}

# Time in milliseconds for Elasticsearch to wait for responses from shards. Set                                                                                                              to 0 to disable.
#elasticsearch.shardTimeout: 30000

# =================== System: Elasticsearch (Optional) ===================
# These files are used to verify the identity of Kibana to Elasticsearch and are                                                                                                              required when
# xpack.security.http.ssl.client_authentication in Elasticsearch is set to requi                                                                                                             red.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key

# Enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/elasticsearch-ca.pem"]
# To disregard the validity of SSL certificates, change this setting's value to                                                                                                              'none'.
#elasticsearch.ssl.verificationMode: full

# =================== System: Logging ===================
# Set the value of this setting to off to suppress all logging output, or to deb                                                                                                             ug to log everything. Defaults to 'info'
#logging.root.level: debug

# Enables you to specify a file where Kibana stores log output.
logging:
  appenders:
    file:
      type: file
      fileName: /var/log/kibana/kibana.log
      layout:
        type: json
  root:
    appenders:
      - default
      - file
#  layout:
#    type: json

# Logs queries sent to Elasticsearch.
#logging.loggers:
#  - name: elasticsearch.query
#    level: debug

# Logs http responses.
#logging.loggers:
#  - name: http.server.response
#    level: debug

# Logs system usage information.
#logging.loggers:
#  - name: metrics.ops
#    level: debug

# =================== System: Other ===================
# The path where Kibana stores persistent data not saved in Elasticsearch. Defau                                                                                                             lts to data
#path.data: data

# Specifies the path where Kibana creates the process ID file.
pid.file: /run/kibana/kibana.pid

# Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 5000ms.
#ops.interval: 5000

# Specifies locale to be used for all localizable strings, dates and number form                                                                                                             ats.
# Supported languages are the following: English (default) "en", Chinese "zh-CN"                                                                                                             , Japanese "ja-JP", French "fr-FR".
#i18n.locale: "en"

# =================== Frequently used (Optional)===================

# =================== Saved Objects: Migrations ===================
# Saved object migrations run at startup. If you run into migration-related issu                                                                                                             es, you might need to adjust these settings.

# The number of documents migrated at a time.
# If Kibana can't start up or upgrade due to an Elasticsearch `circuit_breaking_                                                                                                             exception`,
# use a smaller batchSize value to reduce the memory pressure. Defaults to 1000                                                                                                              objects per batch.
#migrations.batchSize: 1000

# The maximum payload size for indexing batches of upgraded saved objects.
# To avoid migrations failing due to a 413 Request Entity Too Large response fro                                                                                                             m Elasticsearch.
# This value should be lower than or equal to your Elasticsearch cluster’s `http                                                                                                             .max_content_length`
# configuration option. Default: 100mb
#migrations.maxBatchSizeBytes: 100mb

# The number of times to retry temporary migration failures. Increase the settin                                                                                                             g
# if migrations fail frequently with a message such as `Unable to complete the [                                                                                                             ...] step after
# 15 attempts, terminating`. Defaults to 15
#migrations.retryAttempts: 15

# =================== Search Autocomplete ===================
# Time in milliseconds to wait for autocomplete suggestions from Elasticsearch.
# This value must be a whole number greater than zero. Defaults to 1000ms
#data.autocomplete.valueSuggestions.timeout: 1000

# Maximum number of documents loaded by each shard to generate autocomplete sugg                                                                                                             estions.
# This value must be a whole number greater than zero. Defaults to 100_000
#data.autocomplete.valueSuggestions.terminateAfter: 100000

What version of the stack are you using?