SSL Alert Number 46 in Kibana.log

vsalunkhe · June 19, 2019, 8:00am

Hi,

I am seeing the below issue in kiabna.log

{"type":"error","@timestamp":"2019-06-19T07:47:31Z","tags":["connection","client","error"],"pid":122332,"level":"error","error":{"message":"139992275834752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 46\n","name":"Error","stack":"Error: 139992275834752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 46\n"},"message":"139992275834752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 46\n"}

I have created separate set of self-signed certificates for kibana server and imported the same Client Certificate in Browser--> Personal Certificates

I have also imported the ca.crt used to sign the above client certificate in the Trusted Root Certification Authorities of the browser.

I dont get errors when I access from my machines browser. and the https is not strikethrough.

But when I copy the same set of certificates to my colleague's browser with same process, it still shows the error.

Also there is no IP or Hostname in the Error Message to identify exactly from where the logs are generated.

lukas · June 19, 2019, 3:16pm

Hi, could you provide the steps you used to generate the certificate on your machine?

vsalunkhe · June 20, 2019, 1:38pm

vim kibanacert.yml
instances:

name: "kibana-server"
dns:
- "kibanadv.nseroot.com"

bin/elasticsearch-certutil cert --silent --pem --in kibanacert.yml --out kibana-server.zip
copy the zip file to kibana installation directory

The two certificates need to be installed as follows:

kibana-server.p12 -- this is the client certificate

In the Chrome Settings --> Advanced --> Manage certificate --> import --> Next --> Browser to the path of Certificate and select it --> Next --> leave the password blank --> Go with the default actions for location select next --> Finish.
ca.crt -- This we need to add in the Trusted Root Certificate, to tell the browser that the certificate (mentioned in point no.1 ) is signed by a Trusted Source.

In the Chrome Settings --> Advanced --> Manage certificate --> select the "Trusted Root Certification Authorities" tab --> Import --> next --> Browser to the path of Certificate and select it --> Go with the default actions for location select next --> Finish.

AndrewMcQ · July 5, 2019, 2:44pm

+1 We're seeing something similar. Watching thread to see if the solution would be applicable to us.

We don't have errors hitting Kibana normally... we're just seeing these alerts every now and then in big batches.

anapsix · August 1, 2019, 1:58pm

check out this thread: Encrypting communications in Kibana

in short: Due to clients(Web Browsers) not trusting self-signed Kibana certificates, you will see a message similar to the following in your Kibana logs, until proper trust is established by using certificates generated by an enterprise or public CA (here's the link to the issue in the Kibana repo). This issue does not affect your ability to work in Kibana:

[18:22:31.675] [error][client][connection] Error: 4443837888:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/s3_pkt.c:1498:SSL alert number 46

As a result, Kibana's error logs is normal.

system · August 29, 2019, 1:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.