SSL handshake fails between Kibana/APMServer and Elasticsearch after custom certificate setting on Elasticsearch

Bingu_Shim · May 9, 2020, 8:32am

I just tried this configuration with new released version

elastic operator : 1.1.0
Elasticsearch, Kibana : 7.6.2

And got same error as you got

Here is kibana error

2020-05-09T08:24:14.077382373Z {"type":"log","@timestamp":"2020-05-09T08:24:14Z","tags":["info","plugins-service"],"pid":7,"message":"Plugin \"case\" is disabled."}
2020-05-09T08:25:29.443788733Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins-system"],"pid":7,"message":"Setting up [37] plugins: [infra,taskManager,siem,licensing,encryptedSavedObjects,code,usageCollection,metrics,canvas,timelion,features,security,apm_oss,translations,reporting,uiActions,data,navigation,status_page,share,newsfeed,kibana_legacy,management,dev_tools,inspector,expressions,visualizations,embeddable,advancedUiActions,dashboard_embeddable_container,home,spaces,cloud,apm,graph,eui_utils,bfetch]"}
2020-05-09T08:25:29.444798641Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","infra"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.447690701Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","taskManager"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.7385755Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","siem"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.739647503Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","licensing"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.744117332Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","encryptedSavedObjects"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.745404276Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["warning","plugins","encryptedSavedObjects","config"],"pid":7,"message":"Generating a random key for xpack.encryptedSavedObjects.encryptionKey. To be able to decrypt encrypted saved objects attributes after restart, please set xpack.encryptedSavedObjects.encryptionKey in kibana.yml"}
2020-05-09T08:25:29.84346468Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","code"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.844729461Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","usageCollection"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.847087285Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","metrics"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.847812528Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","canvas"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.853667359Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","timelion"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.854613642Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","features"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.855590132Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","security"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.874897033Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","apm_oss"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.875407265Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","translations"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.876092198Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","data"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.938860566Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","share"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.940414124Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","home"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.945554172Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","spaces"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.950075428Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","cloud"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.95119985Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","apm"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.955940613Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","graph"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.958959265Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","plugins","bfetch"],"pid":7,"message":"Setting up plugin"}
2020-05-09T08:25:29.965921138Z {"type":"log","@timestamp":"2020-05-09T08:25:29Z","tags":["info","savedobjects-service"],"pid":7,"message":"Waiting until all Elasticsearch nodes are compatible with Kibana before starting saved objects migrations..."}
2020-05-09T08:25:30.061930512Z {"type":"log","@timestamp":"2020-05-09T08:25:30Z","tags":["error","elasticsearch","data"],"pid":7,"message":"Request error, retrying\nHEAD https://quickstart-es-http.default.svc:9200/.apm-agent-configuration => unable to verify the first certificate"}
2020-05-09T08:25:30.135797692Z {"type":"log","@timestamp":"2020-05-09T08:25:30Z","tags":["error","elasticsearch","admin"],"pid":7,"message":"Request error, retrying\nGET https://quickstart-es-http.default.svc:9200/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip => unable to verify the first certificate"}
2020-05-09T08:25:30.142034057Z {"type":"log","@timestamp":"2020-05-09T08:25:30Z","tags":["error","elasticsearch","data"],"pid":7,"message":"Request error, retrying\nGET https://quickstart-es-http.default.svc:9200/_xpack => unable to verify the first certificate"}
2020-05-09T08:25:30.150702631Z {"type":"log","@timestamp":"2020-05-09T08:25:30Z","tags":["warning","elasticsearch","admin"],"pid":7,"message":"Unable to revive connection: https://quickstart-es-http.default.svc:9200/"}
2020-05-09T08:25:30.151361924Z {"type":"log","@timestamp":"2020-05-09T08:25:30Z","tags":["warning","elasticsearch","admin"],"pid":7,"message":"No living connections"}
2020-05-09T08:25:30.153163439Z {"type":"log","@timestamp":"2020-05-09T08:25:30Z","tags":["error","savedobjects-service"],"pid":7,"message":"Unable to retrieve version information from Elasticsearch nodes."}
2020-05-09T08:25:30.158642587Z {"type":"log","@timestamp":"2020-05-09T08:25:30Z","tags":["warning","elasticsearch","data"],"pid":7,"message":"Unable to revive connection: https://quickstart-es-http.default.svc:9200/"}
2020-05-09T08:25:30.159443419Z {"type":"log","@timestamp":"2020-05-09T08:25:30Z","tags":["warning","elasticsearch","data"],"pid":7,"message":"No living connections"}
2020-05-09T08:25:30.160227781Z Could not create APM Agent configuration: No Living connections
2020-05-09T08:25:30.161510651Z {"type":"log","@timestamp":"2020-05-09T08:25:30Z","tags":["warning","elasticsearch","data"],"pid":7,"message":"Unable to revive connection: https://quickstart-es-http.default.svc:9200/"}
2020-05-09T08:25:30.162179092Z {"type":"log","@timestamp":"2020-05-09T08:25:30Z","tags":["warning","elasticsearch","data"],"pid":7,"message":"No living connections"}
2020-05-09T08:25:30.162943621Z {"type":"log","@timestamp":"2020-05-09T08:25:30Z","tags":["warning","plugins","licensing"],"pid":7,"message":"License information could not be obtained from Elasticsearch due to Error: No Living connections error"}
2020-05-09T08:25:32.5542814Z {"type":"log","@timestamp":"2020-05-09T08:25:32Z","tags":["warning","elasticsearch","admin"],"pid":7,"message":"Unable to revive connection: https://quickstart-es-http.default.svc:9200/"}
2020-05-09T08:25:32.554928902Z {"type":"log","@timestamp":"2020-05-09T08:25:32Z","tags":["warning","elasticsearch","admin"],"pid":7,"message":"No living connections"}
2020-05-09T08:25:35.052432592Z {"type":"log","@timestamp":"2020-05-09T08:25:35Z","tags":["warning","elasticsearch","admin"],"pid":7,"message":"Unable to revive connection: https://quickstart-es-http.default.svc:9200/"}
2020-05-09T08:25:35.052826311Z {"type":"log","@timestamp":"2020-05-09T08:25:35Z","tags":["warning","elasticsearch","admin"],"pid":7,"message":"No living connections"}
2020-05-09T08:25:37.555127441Z {"type":"log","@timestamp":"2020-05-09T08:25:37Z","tags":["warning","elasticsearch","admin"],"pid":7,"message":"Unable to revive connection: https://quickstart-es-http.default.svc:9200/"}
2020-05-09T08:25:37.555801219Z {"type":"log","@timestamp":"2020-05-09T08:25:37Z","tags":["warning","elasticsearch","admin"],"pid":7,"message":"No living connections"}
2020-05-09T08:25:40.058631235Z {"type":"log","@timestamp":"2020-05-09T08:25:40Z","tags":["warning","elasticsearch","admin"],"pid":7,"message":"Unable to revive connection: https://quickstart-es-http.default.svc:9200/"}
2020-05-09T08:25:40.05908746Z {"type":"log","@timestamp":"2020-05-09T08:25:40Z","tags":["warning","elasticsearch","admin"],"pid":7,"message":"No living connections"}
2020-05-09T08:25:42.555943297Z {"type":"log","@timestamp":"2020-05-09T08:25:42Z","tags":["warning","elasticsearch","admin"],"pid":7,"message":"Unable to revive connection: https://quickstart-es-http.default.svc:9200/"}
2020-05-09T08:25:42.556386251Z {"type":"log","@timestamp":"2020-05-09T08:25:42Z","tags":["warning","elasticsearch","admin"],"pid":7,"message":"No living connections"}
2020-05-09T08:25:45.059285085Z {"type":"log","@timestamp":"2020-05-09T08:25:45Z","tags":["warning","elasticsearch","admin"],"pid":7,"message":"Unable to revive connection: https://quickstart-es-http.default.svc:9200/"}
2020-05-09T08:25:45.059762989Z {"type":"log","@timestamp":"2020-05-09T08:25:45Z","tags":["warning","elasticsearch","admin"],"pid":7,"message":"No living connections"}
2020-05-09T08:25:47.559567891Z {"type":"log","@timestamp":"2020-05-09T08:25:47Z","tags":["warning","elasticsearch","admin"],"pid":7,"message":"Unable to revive connection: https://quickstart-es-http.default.svc:9200/"}
2020-05-09T08:25:47.560105532Z {"type":"log","@timestamp":"2020-05-09T08:25:47Z","tags":["warning","elasticsearch","admin"],"pid":7,"message":"No living connections"}
2020-05-09T08:25:50.060813521Z {"type":"log","@timestamp":"2020-05-09T08:25:50Z","tags":["warning","elasticsearch","admin"],"pid":7,"message":"Unable to revive connection: https://quickstart-es-http.default.svc:9200/"}
2020-05-09T08:25:50.061180134Z {"type":"log","@timestamp":"2020-05-09T08:25:50Z","tags":["warning","elasticsearch","admin"],"pid":7,"message":"No living connections"}

And this is yaml

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: quickstart
spec:
  http:
    service:
      spec:
        type: LoadBalancer
        loadBalancerIP: <my ip>
    tls:
      certificate:
        secretName: <my secret>
  version: 7.6.2
  nodeSets:
    - name: node
      count: 2
      config:
        node.master: true
        node.ingest: true
        node.data: true
        node.store.allow_mmap: true
      podTemplate:
        metadata:
          labels:
            name: node
          annotations:
            "co.elastic.logs/module": elasticsearch
            "co.elastic.metrics/module": elasticsearch
            "co.elastic.metrics/period": "10s"
            "co.elastic.metrics/hosts": "${data.host}:80"
        spec:
          initContainers:
            - name: sysctl
              securityContext:
                privileged: true
              command: ['sh', '-c', 'sysctl -w vm.max_map_count=262144']
          containers:
            - name: elasticsearch
              resources:
                requests:
                  memory: 4Gi
                  cpu: 1
                limits:
                  memory: 4Gi
                  cpu: 1
              env:
                - name: ES_JAVA_OPTS
                  value: "-Xms2g -Xmx2g"
      volumeClaimTemplates:
        - metadata:
            name: elasticsearch-data
          spec:
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: 200Gi
            storageClassName: standard
---
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: quickstart
spec:
  version: 7.6.2
  count: 1
  elasticsearchRef:
    name: quickstart
  http:
    service:
      spec:
        type: LoadBalancer
        loadBalancerIP: <my ip>
    tls:
      certificate:
        secretName: <my secrets>
  podTemplate:
    spec:
      containers:
        - name: kibana
          resources:
            requests:
              memory: 2Gi
              cpu: 500m
            limits:
              memory: 2Gi
              cpu: 500m
          env:
            - name: ES_JAVA_OPTS
              value: "-Xms1g -Xmx1g"

And when I connect to Elasticsearch with Chrome, there is no warning with the certificate.

Topic		Replies	Views
Using ECK with custom certs, kibana is unable to connect to elasticsearch Elastic Cloud on Kubernetes (ECK)	4	1186	November 4, 2022
Errors when enabling tls for APM and Elasticsearch kubernetes deployment Elasticsearch elastic-stack-security	1	363	March 9, 2021
Unable to get issuer certificate with TLS enabled Kibana & Elasticsearch in k8s Kibana	2	898	March 28, 2022
Kibana is not connecting to Elasticsearch when providing own Certificate Elastic Cloud on Kubernetes (ECK)	2	267	February 22, 2024
TLS Between Elastic & Kibana...Certs Not Working Kibana elastic-stack-security	7	8906	July 19, 2020

SSL handshake fails between Kibana/APMServer and Elasticsearch after custom certificate setting on Elasticsearch

Related topics