Unable to retrieve version information from Elasticsearch nodes. unable to get issuer certificate Unable to retrieve version information from Elasticsearch nodes. unable to get issuer certificate

I'm trying to use ssl certificates created by Let's Encrypt for elasticsearch and kibana version 8.4. Kibana fails at start up with this error message:

Unable to retrieve version information from Elasticsearch nodes. unable to get issuer certificate Unable to retrieve version information from Elasticsearch nodes. unable to get issuer certificate

I think my elasticsearch server is configured correctly, and there's just somethign wrong with kibana configurations.

In terms of what I did, I have the following files on my elastic.example.com server:

ls -alh /etc/elasticserver/certs/elastic.example.com/
-rw-r--r-- 1 elasticsearch elasticsearch 1.9K Oct  6 16:41 cert1.pem
-rw-r--r-- 1 elasticsearch elasticsearch 3.7K Oct  6 16:41 chain1.pem
-rw-r--r-- 1 elasticsearch elasticsearch 5.5K Oct  6 16:41 fullchain1.pem
-rw-r--r-- 1 elasticsearch elasticsearch 1.7K Oct  6 16:41 privkey1.pem

And this is my /etc/elasticsearch/elasticsearch.yml

cluster.name: my-application
network.host: elastic.example.com
http.port: 9200
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
  enabled: true
  verification_mode: certificate
  key: certs/elastic.example.com/privkey1.pem
  certificate: certs/elastic.example.com/cert1.pem
  certificate_authorities: certs/elastic.example.com/fullchain1.pem
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  key: certs/elastic.example.com/privkey1.pem
  certificate: certs/elastic.example.com/cert1.pem
  certificate_authorities: certs/elastic.example.com/fullchain1.pem
cluster.initial_master_nodes: ["e2"]
http.host: 0.0.0.0

Everything seems to work fine for elastic.example.com because I can start up and ping the server with these commands:

systemctl restart elasticsearch.service
curl -X GET -u elastic:demopass "https://elastic.example.com:9200/_cluster/health?pretty=true" --cacert /etc/elasticsearch/certs/elastic.example.com/fullchain1.pem
{
  "cluster_name" : "my-application",
  "status" : "yellow",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 45,
  "active_shards" : 45,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 26,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 63.38028169014085
}

Next, I move on to the kibana server. I set up a new server called kibana.example.com and I copied over the ssl certificates so that I have these:

ls -alh /etc/kibana/certs/elastic.example.com/
-rw-r--r-- 1 kibana kibana 1.9K Oct  6 16:52 cert1.pem
-rw-r--r-- 1 kibana kibana 3.7K Oct  6 16:52 chain1.pem
-rw-r--r-- 1 kibana kibana 5.5K Oct  6 16:52 fullchain1.pem
-rw-r--r-- 1 kibana kibana 1.7K Oct  6 16:52 privkey1.pem

I confirmed that the certs for elastic.example.com worked from kibana.example.com with this command:

curl -X GET -u elastic:demopass "https://elastic.example.com:9200/_cluster/health?pretty=true" --cacert /etc/kibana/certs/elastic.example.com/fullchain1.pem
{
  "cluster_name" : "my-application",
  "status" : "yellow",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 45,
  "active_shards" : 45,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 26,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 63.38028169014085
}

Next I made this /etc/kibana/kibana.yml:

server.port: 5601
server.host: 0.0.0.0
server.publicBaseUrl: "http://kibana.example.com"
server.ssl.enabled: false
elasticsearch.hosts: ["https://elastic.example.com:9200"]
# I also tried changing `fullchain1.pem` to `chain1.pem` or `cert1.pem`
#elasticsearch.ssl.certificate: /etc/kibana/certs/elastic.example.com/fullchain1.pem
#elasticsearch.ssl.key: /etc/kibana/certs/elastic.example.com/privkey1.pem

#elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/certs/elastic.example.com/cert1.pem", "/etc/kibana/certs/elastic.example.com/chain1.pem" ]
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/certs/elastic.example.com/fullchain1.pem" ]
# break SSL connection by changing `none` to either `certificate` or `full`
elasticsearch.ssl.verificationMode: none
logging:
  appenders:
    file:
      type: file
      fileName: /var/log/kibana/kibana.log
      layout:
        type: json
  root:
    appenders:
      - default
      - file
pid.file: /run/kibana/kibana.pid

If I do a systemctl start kibana.service everything work fine because there are no systemctl errors and I can see kibana in the web browser.

But the moment I change elasticsearch.ssl.verificationMode from none to certificate or full, I get the error mentioned in my subject title. I've tried various combinations of values for elasticsearch.ssl.* but nothing works unless I keep the verificationMode to none. How do I get SSL to work with verificationMode as either certificate or full when using Let's Encrypt or a commercially signed SSL?

Hi, because this is something I have on my "list" to I was searching the web for someone who already did it and foudn this post Encrypting communications in Elasticsearch with Let’s Encrypt certificates I did notice the Kibana configuration in that article is using also server.ssl.key: /etc/kibana/config/certs/kibana.mycompany.com/privkey.pem command. Check it out.

Thanks ttyser, yes I've actually tried putting this into /etc/kibana/kibana.yml

server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/kibana.example.com/fullchain1.pem
server.ssl.key: /etc/kibana/certs/kibana.example.com/privkey1.pem

And I also did this:

ls -alh /etc/kibana/certs/kibana.example.com/
-rwxrwxrwx 1 kibana kibana 1.9K Oct  4 22:33 cert1.pem
-rwxrwxrwx 1 kibana kibana 3.7K Oct  4 22:33 chain1.pem
-rwxrwxrwx 1 kibana kibana 5.5K Oct  4 22:33 fullchain1.pem
-rwxrwxrwx 1 kibana kibana 1.7K Oct  4 22:33 privkey1.pem
systemctl restart kibana.service

Still I get the error I mentioned above. I've used the server.ssl.* before on another development installation and all it does is encrypt the traffic between web browser (or clients) and the kibana server, and is not related to encrypting traffic between kibana and elastic.

I believe this massage is Kibana not able to connect/authenticate to Elasticsearch.
What do you see in:sudo less /var/log/kibana/kibana.log ?
When I try to simulate this by using incorrect certificate in my config, I get the following error.

{"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.4.0"},"@timestamp":"2022-10-07T17:35:14.962+00:00","message":"Unable to retrieve version information from Elasticsearch nodes. self signed certificate in certificate chain","log":{"level":"ERROR","logger":"elasticsearch-service"},"process":{"pid":3932},"trace":{"id":"280259d3b018ec374e93d6877b28f900"},"transaction":{"id":"4004c26813910953"}}       
{"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.4.0"},"@timestamp":"2022-10-07T17:35:16.836+00:00","message":"Browser executable: /usr/share/kibana/x-pack/plugins/screenshotting/chromium/headless_shell-linux_x64/headless_shell","log":{"level":"INFO","logger":"plugins.screenshotting.chromium"},"process":{"pid":3932},"trace":{"id":"280259d3b018ec374e93d6877b28f900"},"transaction":{"id":"4004c26813910953"}}

Or this could be incorect username or password in kibana.yml for for kibana connecting to elasticsearch:

# =================== System: Elasticsearch ===================
# The URLs of the Elasticsearch instances to use for all your queries.
elasticsearch.hosts: ["https://10.212.25.197:9200"]

# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
elasticsearch.username: "kibana_system"
elasticsearch.password: "Ewwm9y6hvhhVe_ov6MI"
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/certs/http_ca.crt" ]

this is log for incorect password:

{"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.4.0"},"@timestamp":"2022-10-07T17:47:28.771+00:00","message":"Unable to retrieve version information from Elasticsearch nodes. security_exception: [security_exception] Reason: unable to authenticate user [kibana_system] for REST request [/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip]","log":{"level":"ERROR","logger":"elasticsearch-service"},"process":{"pid":4035},"trace":{"id":"6b72e028910296084bd7979aaaa3adab"},"transaction":{"id":"6dcb09d7cb661077"}}  
{"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.4.0"},"@timestamp":"2022-10-07T17:47:30.322+00:00","message":"Browser executable: /usr/share/kibana/x-pack/plugins/screenshotting/chromium/headless_shell-linux_x64/headless_shell","log":{"level":"INFO","logger":"plugins.screenshotting.chromium"},"process":{"pid":4035},"trace":{"id":"6b72e028910296084bd7979aaaa3adab"},"transaction":{"id":"6dcb09d7cb661077"}}

When I set the elasticsearch.ssl.verificationMode: none, then I only see INFO in my /var/log/kibana/kibana.log, and I don't see any errors.

When I set elasticsearch.ssl.verificationMode to certificate or full, this is the only ERROR I see

{"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.4.0"},"@timestamp":"2022-10-07T18:33:50.739+00:00","message":"Unable to retrieve version information from Elasticsearch nodes. unable to get issuer certificate","log":{"level":"ERROR","logger":"elasticsearch-service"},"process":{"pid":2601},"trace":{"id":"1fb5f2aed81c2a863b20de3e5d1c8aed"},"transaction":{"id":"d93e659648febe62"}}

Also, I used Kibana key store secrets Secure Settings | Kibana User Guide [6.3] | Elastic to stoore things like elasticsearch.username/password/token so that they are not visible in plain text in my kibana.yml file.

I stumbled on this article: Mutual TLS authentication between Kibana and Elasticsearch | Kibana Guide [8.4] | Elastic

I wonder if because I'm using version 8.4, I can't use Let's Encrypt SSLS, and I need to use only certificates made by bin/elasticsearch-certutil.

Hi @learningelastic You can absolutely use let's Encrypt Certs :slight_smile:

1st I am assuming that you created your SSL Certs via Lets Encrypt via one of the official ways.

I used certbot and created a fullchain.pem and privkey.pem for each of them.

I created certs for elasticsearch and and kibana at this point they are running on the same host but that is incidental I created them for the domain names, IF you want to use any IPs for the connection configuration setting you MUST include those IPs when you create the certs otherwise the Subject Names will not match.

For my Example I just used 1 domain name each.

they are
elasticsearch.mydomain.net
and
kibana.mydomain.net

Now here are my configuration files ...
To be clear.. these are fully functional as they are, these are not partial snippets.

Here is my elasticsearch.yml

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch

xpack.security.enabled: true

xpack.security.enrollment.enabled: true

xpack.security.http.ssl:
  enabled: true
  certificate: certs/fullchain.pem 
  key: certs/privkey.pem

# I used the existing transport ssl certs since it is local... 
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
cluster.initial_master_nodes: ["stephenb-es-8-test"]

http.host: 0.0.0.0

So Now lets make sure you have elasticsearch with Full Certs from a Trusted Authority Lets Encrypt

If these are full certs from a cert authority you should be able to run curl -v for verify without passing --cacert flag

So my test ...if this works then... you have an official proper cert,

See below full cert with subject name Issued by Let's Encrypt

$ curl -v -u elastic https://elasticsearch.mydomain.net:9200
Enter host password for user 'elastic':
*   Trying nnn.nnn.nnn.nnn:9200...
* Connected to elasticsearch.mydomain.net (nnn.nnn.nnn.nnn) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=kibana.bvader.net
*  start date: Oct  7 18:01:21 2022 GMT
*  expire date: Jan  5 18:01:20 2023 GMT
*  subjectAltName: host "elasticsearch.mydomain.net" matched cert's "elasticsearch.mydomain.net"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Server auth using Basic with user 'elastic'
> GET / HTTP/1.1
> Host: elasticsearch.mydomain.net:9200
> Authorization: Basic askdfjhasdlkfjhasdflkjashVjdEtDX0Y4Rw==
> User-Agent: curl/7.79.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< X-elastic-product: Elasticsearch
< content-type: application/json
< content-length: 541
< 
{
  "name" : "stephenb-es-8-test",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "jjCaopvzTKaw9Wk_HSpO4w",
  "version" : {
    "number" : "8.4.3",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "42f05b9372a9a4a470db3b52817899b99a76ee73",
    "build_date" : "2022-10-04T07:17:24.662462378Z",
    "build_snapshot" : false,
    "lucene_version" : "9.3.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}
* Connection #0 to host elasticsearch.mydomain.net left intact

So assuming you see the same you technically you don't even need this in you kibana.yml it is the default
elasticsearch.ssl.verificationMode: full

So now we are ready to proceed to Kibana

Here is my kibana.yml
A Couple notes the publicBaseUrl needs to be complete with port and everything

server.host: "0.0.0.0"
server.publicBaseUrl: "https://kibana.mydomain.net:5601"

logging:
  appenders:
    file:
      type: file
      fileName: /var/log/kibana/kibana.log
      layout:
        type: json
  root:
    appenders:
      - default
      - file
pid.file: /run/kibana/kibana.pid

# Kibana ssl 
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/fullchain.pem
server.ssl.key: /etc/kibana/privkey.pem

# Elasticsearch stuff
elasticsearch.hosts: ['https://elasticsearch.mydomain.net:9200']

# Since the is a Full Valid Cert it should just fully verify
# Technically you don't even need this it is the default, but being specific
elasticsearch.ssl.verificationMode: full

# Either use elasticsearch u/pw or enrollment token
elasticsearch.serviceAccountToken: AAAAAAAAABBBBBBBBW5hL2Vucm9sbC1wcm9jZXNzLXRva2VuLTE2NTYzNTU5Njg1Mjg6V3JXUnprY0FUZGV1MjF2MXhSTVFNZw

# Leftover enrollment stuff
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: ['https://10.168.0.12:9200'], ca_trusted_fingerprint: f5956ed6b099ccee4c00d5837a57ba07ea89756df453c42d1659442c1d7f192d}]

It is possible I am not understanding something ... .

BTW to see logs easy use

journalctl -f -u kibana.service
or
journalctl -f -u elasticsearch.service

2 Likes

Thank you....Then it seems it must be something is wrong with my certificates because I see this:

curl -v -u elastic "https://elastic.example.com:9200/"
*   Trying 127.0.0.1:9200...
* TCP_NODELAY set
* Connected to elastic.example.com (127.0.0.1) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

And maybe this has something to do with my router failing to pass along domain names in my LAN or something....Ok, going to investigate this more, thanks for the clues!

I think you are not configured correctly

In your elasticsearch.yml

xpack.security.http.ssl:
  enabled: true
  verification_mode: certificate
  key: certs/elastic.example.com/privkey1.pem
  certificate: certs/elastic.example.com/cert1.pem
  certificate_authorities: certs/elastic.example.com/fullchain1.pem

perhaps should be

xpack.security.http.ssl:
  enabled: true
  key: certs/elastic.example.com/privkey1.pem
  certificate: certs/elastic.example.com/fullchain1.pem

see mine

xpack.security.http.ssl:
  enabled: true
  certificate: certs/fullchain.pem 
  key: certs/privkey.pem
2 Likes

Yes thank you so much! It worked! Based on your corrections, these are my final files:

# /etc/elasticsearch/elasticsearch.yml on the server elastic.example.com
cluster.name: my-application
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: elastic.example.com
http.port: 9200
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
  enabled: true
  key: certs/elastic.example.com/privkey1.pem
  certificate: certs/elastic.example.com/fullchain1.pem
xpack.security.transport.ssl:
  enabled: true
  key: certs/elastic.example.com/privkey1.pem
  certificate: certs/elastic.example.com/fullchain1.pem
cluster.initial_master_nodes: ["e2"]
http.host: 0.0.0.0
# /etc/kibana/kibana.yml on the server kibana.example.com
server.port: 5601
server.host: 0.0.0.0
server.publicBaseUrl: "https://kibana.example.com:5601"
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/kibana.example.com/fullchain1.pem
server.ssl.key: /etc/kibana/certs/kibana.example.com/privkey1.pem
elasticsearch.hosts: ["https://elastic.example.com:9200"]
elasticsearch.ssl.verificationMode: full
logging:
  appenders:
    file:
      type: file
      fileName: /var/log/kibana/kibana.log
      layout:
        type: json
  root:
    appenders:
      - default
      - file
pid.file: /run/kibana/kibana.pid

Certs for both elastic.example.com and kibana.example.com were issued by Let's Encrypt. All passwords and secrets in /etc/kibana/kibana.yml were declared with /usr/share/kibana/bin/kibana-keystore

Thank you everyone for corrections!

2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.