SSL Alert Number 46 in Kibana.log

Hi,

I am seeing the below issue in kiabna.log

{"type":"error","@timestamp":"2019-06-19T07:47:31Z","tags":["connection","client","error"],"pid":122332,"level":"error","error":{"message":"139992275834752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 46\n","name":"Error","stack":"Error: 139992275834752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 46\n"},"message":"139992275834752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 46\n"}

I have created separate set of self-signed certificates for kibana server and imported the same Client Certificate in Browser--> Personal Certificates

I have also imported the ca.crt used to sign the above client certificate in the Trusted Root Certification Authorities of the browser.

I dont get errors when I access from my machines browser. and the https is not strikethrough.

But when I copy the same set of certificates to my colleague's browser with same process, it still shows the error.

Also there is no IP or Hostname in the Error Message to identify exactly from where the logs are generated.

Hi, could you provide the steps you used to generate the certificate on your machine?

vim kibanacert.yml
instances:

bin/elasticsearch-certutil cert --silent --pem --in kibanacert.yml --out kibana-server.zip
copy the zip file to kibana installation directory

The two certificates need to be installed as follows:

  1. kibana-server.p12 -- this is the client certificate

    In the Chrome Settings --> Advanced --> Manage certificate --> import --> Next --> Browser to the path of Certificate and select it --> Next --> leave the password blank --> Go with the default actions for location select next --> Finish.

  2. ca.crt -- This we need to add in the Trusted Root Certificate, to tell the browser that the certificate (mentioned in point no.1 ) is signed by a Trusted Source.

    In the Chrome Settings --> Advanced --> Manage certificate --> select the "Trusted Root Certification Authorities" tab --> Import --> next --> Browser to the path of Certificate and select it --> Go with the default actions for location select next --> Finish.

+1 We're seeing something similar. Watching thread to see if the solution would be applicable to us.

We don't have errors hitting Kibana normally... we're just seeing these alerts every now and then in big batches.

check out this thread: Encrypting communications in Kibana

in short: Due to clients(Web Browsers) not trusting self-signed Kibana certificates, you will see a message similar to the following in your Kibana logs, until proper trust is established by using certificates generated by an enterprise or public CA (here's the link to the issue in the Kibana repo). This issue does not affect your ability to work in Kibana:

[18:22:31.675] [error][client][connection] Error: 4443837888:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/s3_pkt.c:1498:SSL alert number 46

As a result, Kibana's error logs is normal.