Hi,
I create a watcher to monitoring de HEALTH of the Cluster.
I did get this error on the watcher response:
I also check my kibana configuration and I have TLS config :
I dont know why this error happend!
Hi @Rossana
I think it is because the "Watcher" does not know it is hitting HTTPS of the Elastic Cluster (to the watcher it is just ANY http endpoint), so it does not reference the CA that is in the kibana.yml which is only for the Kibana -> Elasticsearch Connection not any connection in a watcher.
And just to be clear watcher actually executes in Elasticsearch... not Kibana
Depending on the version of Elastic, you could just use heartbeat or synthetics and the uptime app to do the same thing...
But curious... If the cluster is down / not responsive, the watcher will not run anyways... are you monitoring from a different cluster?
What exactly are you trying to accomplish?
Hi,
I only want to monitor with watchers the status (to know if some shards are not allocated), the number of shards, the size of the shards... only those things at the moment.
The watcher is from the same cluster.
Do you know What I need to do in order to make it work?
What version are you on?
The standard approach would be to use Some form of Stack Monitoring and Alerting.
Versión: 7.17
In this link it says that is possible
Hi Rossana,
To enable secure HTTPS connections between Watcher, Kibana reporting, and Elasticsearch using a self-signed certificate in Kibana, include the CA certificate in Elasticsearch. Either add the CA certificate through xpack.http.ssl.certificate_authorities in elasticsearch.yml, or ensure ca.crt for the Kibana certificate is in /etc/elasticsearch/certs/watcher-truststore.jks.
1 Like
Hi @Rossana so yes as @yago82 Said, please look at these settings.
You will need to set these in your elasticsearch.yml
This is not as secure...
xpack.http.ssl.verification_mode: none
or set the path to the CA...
xpack.http.ssl.certificate_authorities: ["/path/to/http_ca.crt"]
1 Like
Ok.
thanks to both. @yago82 @stephenb
This is the elasticseach.yml of one of my nodes:
Either add the CA certificate through xpack.http.ssl.certificate_authorities in elasticsearch.yml, or ensure ca.crt for the Kibana certificate is in /etc/elasticsearch/certs/watcher-truststore.jks.
which certificate do I must aggregate? I also have an ssl.keystore.path configured already.
You need the CA for the http endpoint, that you used to create the http.p12, you used a CA to create that... you need to find that, and put that in the
xpack.http.ssl.certificate_authorities: ["/path/to/http_ca.crt"]
BTW Screenshots of text is discouraged, hard to read, can not be searched, debug etc...
THANKS!
I dont have access to copy the text from VPN (security policies).
There is no problem if my parameters are xpack.security.http.ssl? with security word?
Because you used xpack.http.ssl.certificate_authorities.
Understood...
Apologies I do not understand you need to set the settings... I do not know what security word you are referring too...
You need to do 1 of the 2 settings I showed above
I mean:
I must add to elasticsearch.yml
xpack.http.ssl.certificate_authorities: ["/path/to/http_ca.crt"]
or
xpack.security.http.ssl.certificate_authorities: ["/path/to/http_ca.crt"]
Please look at the document I provided ... yes there are many similar settings...
From the docs HERE that refer to Watcher
You can see the correct settings....
xpack.http.ssl.certificate_authorities(Static) List of paths to PEM encoded certificate files that should be trusted.
This setting and
ssl.truststore.pathcannot be used at the same time.
Yes but that is not the path the watcher component will access...
And what you circled above is the transport endpoint ... nothing to do with watcher http input.. nothing at all... and nothing to do with the http endpoint which is the bottom line in your picture...
None of those settings in your screen shot have anything to do with the watcher http input setting...
I think we have provided the correct settings...
If you get it to work otherwise, please let us know...
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.