Unable to verify the first certificate - kibana/elasticsearch

Hi teams,

I'm trying to configure xpack for Elasticsearch/kibana, I've activated the trial license for Elasticsearch, configured xpack for kibana/Elasticsearch and also I've generated ca.crt, node1-elk.crt, node1-elk.key and also kibana.key , kibana.crt and if I'm testing with curl towards the Elasticsearch using the kibana user and password and also the ca.crt it's working like a charm, if I'm trying to access kibana from the GUI says that the "Server is not ready yet" and the logs show that " unable to verify the first certificate" :

{"type":"log","@timestamp":"2021-11-16T04:41:09-05:00","tags":["error","savedobjects-service"],"pid":13250,"message":"Unable to retrieve version information from Elasticsearch nodes. unable to verify the first certificate"}

My configuration:

kibana.yml

server.name: "my-kibana"
server.host: "0.0.0.0"
elasticsearch.hosts: ["https://0.0.0.0:9200"]
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/kibana.crt
server.ssl.key: /etc/kibana/certs/kibana.key
server.ssl.certificateAuthorities: ["/etc/kibana/certs/ca.crt"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "kibana"

Elasticsearch.yml

node.name: node1
network.host: 0.0.0.0
discovery.seed_hosts: [ "0.0.0.0" ]
cluster.initial_master_nodes: ["node1"]
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.key: /etc/elasticsearch/certs/node1.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/node1.crt
xpack.security.http.ssl.certificate_authorities: [ "/etc/elasticsearch/certs/ca.crt" ]
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/node1.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/node1.crt
xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/certs/ca.crt" ]

curl testing:

[root@localhost kibana]#  curl -XGET https://0.0.0.0:9200/_cat/nodes?v -u kibana_system:kibana  --cacert /etc/elasticsearch/certs/ca.crt
ip              heap.percent ram.percent cpu load_1m load_5m load_15m node.role   master name
192.168.100.102           23          97   3    0.00    0.02     0.08 cdfhilmrstw *      node1

I don't know what to do more here:

[root@localhost kibana]#  curl -XGET https://0.0.0.0:9200/_license -u kibana_system:kibana  --cacert /etc/elasticsearch/certs/ca.crt
{
  "license" : {
    "status" : "active",
    "uid" : "872f0ad0-723e-43c8-b346-f43e2707d3de",
    "type" : "trial",
    "issue_date" : "2021-11-08T18:26:15.422Z",
    "issue_date_in_millis" : 1636395975422,
    "expiry_date" : "2021-12-08T18:26:15.422Z",
    "expiry_date_in_millis" : 1638987975422,
    "max_nodes" : 1000,
    "issued_to" : "elasticsearch",
    "issuer" : "elasticsearch",
    "start_date_in_millis" : -1
  }
}

Thank you for your help

Hi @slashlinux,

One of the things I noticed is that the SSL certificate Authorities are different in your kibana.yml and your elasticsearch.yml. For kibana to be able to verify the ES certificates, this authority should be the same. (see Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [7.15] | Elastic).

Could you try adding the Elasticsearch certificate into your kibana.yml?

server.ssl.certificateAuthorities: ["/etc/kibana/certs/ca.crt", "/etc/elasticsearch/certs/ca.crt"]

Let me know if it worked

Hi,

thank you for reply, the certs are the same:

[root@localhost ~]# cat /etc/kibana/certs/ca.crt | openssl x509 
-----BEGIN CERTIFICATE-----
MIIDSTCCAjGgAwIBAgIUCxpdY7BCdolDkJga7+JzXmV+QTAwDQYJKoZIhvcNAQEL
BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
cmF0ZWQgQ0EwHhcNMjExMTExMTYyMDA2WhcNMjQxMTEwMTYyMDA2WjA0MTIwMAYD
VQQDEylFbGFzdGljIENlcnRpZmljYXRlIFRvb2wgQXV0b2dlbmVyYXRlZCBDQTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXAHwhhGksfeaDQTW33IdG7
ifiR8Xn/nPslHfQFGloenrg5IYnBnT+TNKXL2akCmXFkImiXzc3AoVSaBB3DtfiK
SdDFYwIT2FLusZFns9X6RTruaKNiiMJs4ODKpjJnDdHxfHAC+2m60bYdteBKQsm+
ip+602eQ6AoCCoEdxUbqSKdnc2Nx9xs3iJQliuu5YGp0trYwTlY2U6agdZA/od4L
bxs0nA3P04vwwQNoK/wfoB6BIISmyq8AWHcdxReixAcQQPeUDDJ8CrMtAHC6FW0M
Hvg1K75OgAOHgeo4hpP6bt1AwrLjeNptvaAH26tnDfhhCn5kBitjWmnSSO861isC
AwEAAaNTMFEwHQYDVR0OBBYEFEWIwu6JSI8A6xvZFpHZhzLjnTRmMB8GA1UdIwQY
MBaAFEWIwu6JSI8A6xvZFpHZhzLjnTRmMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggEBACPWJFuLguyarA8oewZK9hJqvcq2auA8cy5BNPmSWpYUgJah
BknSkL6chTAPo17icSbNR9XSfsgO13eH06lUm0N51Av2CWUGsP1TwhVnAGKvRhP4
xLdf6yzpggnIJEU7EBhfGoVvuGvmXL7VVZa8bCngKIOgCT4YxjqlX5ZLd+4lPsM1
rEoANtx7nxIFrKSvpx9HVlipf2WaqIl8H10Noga0OV+KVSQ/qVOgDjEs5KFjpeTH
WcnqFZRgedoX2V6Yx1gNUI5ofFtcjWs7Ha0OZIEQs5URR8DZ/rWSQ57u6tlce/rl
YZ0P6MNmds6N1ah33xZQpB3si9IOCVvHXono3kc=
-----END CERTIFICATE-----
[root@localhost ~]# cat /etc/elasticsearch/certs/ca.crt | openssl x509 
-----BEGIN CERTIFICATE-----
MIIDSTCCAjGgAwIBAgIUCxpdY7BCdolDkJga7+JzXmV+QTAwDQYJKoZIhvcNAQEL
BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
cmF0ZWQgQ0EwHhcNMjExMTExMTYyMDA2WhcNMjQxMTEwMTYyMDA2WjA0MTIwMAYD
VQQDEylFbGFzdGljIENlcnRpZmljYXRlIFRvb2wgQXV0b2dlbmVyYXRlZCBDQTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXAHwhhGksfeaDQTW33IdG7
ifiR8Xn/nPslHfQFGloenrg5IYnBnT+TNKXL2akCmXFkImiXzc3AoVSaBB3DtfiK
SdDFYwIT2FLusZFns9X6RTruaKNiiMJs4ODKpjJnDdHxfHAC+2m60bYdteBKQsm+
ip+602eQ6AoCCoEdxUbqSKdnc2Nx9xs3iJQliuu5YGp0trYwTlY2U6agdZA/od4L
bxs0nA3P04vwwQNoK/wfoB6BIISmyq8AWHcdxReixAcQQPeUDDJ8CrMtAHC6FW0M
Hvg1K75OgAOHgeo4hpP6bt1AwrLjeNptvaAH26tnDfhhCn5kBitjWmnSSO861isC
AwEAAaNTMFEwHQYDVR0OBBYEFEWIwu6JSI8A6xvZFpHZhzLjnTRmMB8GA1UdIwQY
MBaAFEWIwu6JSI8A6xvZFpHZhzLjnTRmMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggEBACPWJFuLguyarA8oewZK9hJqvcq2auA8cy5BNPmSWpYUgJah
BknSkL6chTAPo17icSbNR9XSfsgO13eH06lUm0N51Av2CWUGsP1TwhVnAGKvRhP4
xLdf6yzpggnIJEU7EBhfGoVvuGvmXL7VVZa8bCngKIOgCT4YxjqlX5ZLd+4lPsM1
rEoANtx7nxIFrKSvpx9HVlipf2WaqIl8H10Noga0OV+KVSQ/qVOgDjEs5KFjpeTH
WcnqFZRgedoX2V6Yx1gNUI5ofFtcjWs7Ha0OZIEQs5URR8DZ/rWSQ57u6tlce/rl
YZ0P6MNmds6N1ah33xZQpB3si9IOCVvHXono3kc=
-----END CERTIFICATE-----

Also I can curl with the ca.crt from the /etc/kibana/certs/ :

[root@localhost ~]# curl -XGET https://0.0.0.0:9200/_license -u kibana_system:kibana  --cacert /etc/kibana/certs/ca.crt{
  "license" : {
    "status" : "active",
    "uid" : "872f0ad0-723e-43c8-b346-f43e2707d3de",
    "type" : "trial",
    "issue_date" : "2021-11-08T18:26:15.422Z",
    "issue_date_in_millis" : 1636395975422,
    "expiry_date" : "2021-12-08T18:26:15.422Z",
    "expiry_date_in_millis" : 1638987975422,
    "max_nodes" : 1000,
    "issued_to" : "elasticsearch",
    "issuer" : "elasticsearch",
    "start_date_in_millis" : -1
  }
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.