Hello,
I generated with certutils my own ca.crt, ca.key and the certificates for each node(with an instances.yml), however when I load the elastic and kibana, kibana docker container logs says:
kibana_1 | [2024-09-17T12:15:58.476+00:00][ERROR][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. unable to verify the first certificate
In order to check if the ca.crt and credentials are correct from inside the Kibana container, I do in a shell(inside kibana container):
curl --cacert /usr/share/kibana/config/certs/ca/ca.crt -v https://es01:9200 -u kibana_system:xxxxx
and the elastic node response is correct, so I'm not sure why Kibana is not able to connect to elasticsearch. But I can say that the certificate authority is good. Just to note that I used
/usr/share/elasticsearch/bin/elasticsearch-reset-password -u kibana_system
inside the elastic container in order to set the kibana password for that user and after that I modified the docker-compose.yml and finally restart the kibana container.
Can someone help me? thanks!
My docker-compose file:
# The version of the Docker Compose file format
version: "2.2"
# The services that make up the application
services:
# The setup service is responsible for setting up the Elasticsearch cluster
setup:
# The Docker image to use for this service
image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
# The volumes to mount into this service
volumes:
- ./config/certs:/usr/share/elasticsearch/config/certs
# The user to run commands as inside the container
user: "0"
# The command to run inside the container
#command: tail -f '/dev/null'
# The healthcheck to determine the health of this service
healthcheck:
test: ["CMD-SHELL", "[ -f config/certs/es01/es01.crt ]"]
interval: 1s
timeout: 5s
retries: 120
# The es01 service represents an Elasticsearch node in the cluster
es01:
# This service depends on the setup service
depends_on:
setup:
condition: service_healthy
# The Docker image to use for this service
image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
# The volumes to mount into this service
volumes:
- ./config/certs:/usr/share/elasticsearch/config/certs
- esdata01:elk/elastic/data
# The ports to expose from this service
ports:
- ${ES_PORT}:9200
# The environment variables to set inside the container
environment:
- node.name=es01
- cluster.name=${CLUSTER_NAME}
- discovery.type=single-node
- ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms4g -Xmx4g"
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=certs/es01/es01.key
- xpack.security.http.ssl.certificate=certs/es01/es01.crt
- xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.http.ssl.verification_mode=certificate
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=certs/es01/es01.key
- xpack.security.transport.ssl.certificate=certs/es01/es01.crt
- xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=${LICENSE}
# The memory limit for this service
mem_limit: ${MEM_LIMIT}
# The ulimits to set for this service
ulimits:
memlock:
soft: -1
hard: -1
# The healthcheck to determine the health of this service
healthcheck:
test:
[
"CMD-SHELL",
"curl --cacert config/certs/ca/ca.crt -u 'elastic:xxxxxx' https://localhost:9200 -k |grep -q 01"
]
interval: 10s
timeout: 10s
retries: 120
# The kibana service represents a Kibana instance
kibana:
# This service depends on the es01 service
depends_on:
es01:
condition: service_healthy
# The Docker image to use for this service
image: docker.elastic.co/kibana/kibana:${STACK_VERSION}
# The volumes to mount into this service
volumes:
- ./config/certs:/usr/share/kibana/config/certs
- kibanadata: elk/kibana/data
# The ports to expose from this service
ports:
- ${KIBANA_PORT}:5601
# The environment variables to set inside the container
environment:
- SERVERNAME=kibana
- ELASTICSEARCH_HOSTS=https://es01:9200
- ELASTICSEARCH_USERNAME=kibana_system
- ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}
- elasticsearch.ssl.certificateAuthorities=["/usr/share/kibana/config/certs/ca/ca.crt"]
- xpack.reporting.encryptionKey=${KIBANA_PASSWORD}
- XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY=yyyyyy
# The memory limit for this service
mem_limit: ${MEM_LIMIT}
# The healthcheck to determine the health of this service
healthcheck:
test:
[
"CMD-SHELL",
"curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'",
]
interval: 10s
timeout: 10s
retries: 120
# The volumes to create for the application
volumes:
certs:
driver: local
esdata01:
driver: local
kibanadata:
driver: local