Watcher Http Input - PKIX path building failed


I create a watcher to monitoring de HEALTH of the Cluster.

I did get this error on the watcher response:

I also check my kibana configuration and I have TLS config :

I dont know why this error happend!

Hi @Rossana

I think it is because the "Watcher" does not know it is hitting HTTPS of the Elastic Cluster (to the watcher it is just ANY http endpoint), so it does not reference the CA that is in the kibana.yml which is only for the Kibana -> Elasticsearch Connection not any connection in a watcher.

And just to be clear watcher actually executes in Elasticsearch... not Kibana

Depending on the version of Elastic, you could just use heartbeat or synthetics and the uptime app to do the same thing...

But curious... If the cluster is down / not responsive, the watcher will not run anyways... are you monitoring from a different cluster?

What exactly are you trying to accomplish?


I only want to monitor with watchers the status (to know if some shards are not allocated), the number of shards, the size of the shards... only those things at the moment.

The watcher is from the same cluster.

Do you know What I need to do in order to make it work?

What version are you on?

The standard approach would be to use Some form of Stack Monitoring and Alerting.

Versión: 7.17

In this link it says that is possible

Hi Rossana,

To enable secure HTTPS connections between Watcher, Kibana reporting, and Elasticsearch using a self-signed certificate in Kibana, include the CA certificate in Elasticsearch. Either add the CA certificate through xpack.http.ssl.certificate_authorities in elasticsearch.yml, or ensure ca.crt for the Kibana certificate is in /etc/elasticsearch/certs/watcher-truststore.jks.

1 Like

Hi @Rossana so yes as @yago82 Said, please look at these settings.

You will need to set these in your elasticsearch.yml

This is not as secure...

xpack.http.ssl.verification_mode: none

or set the path to the CA...

xpack.http.ssl.certificate_authorities: ["/path/to/http_ca.crt"]

1 Like

thanks to both. @yago82 @stephenb

This is the elasticseach.yml of one of my nodes:

Either add the CA certificate through xpack.http.ssl.certificate_authorities in elasticsearch.yml, or ensure ca.crt for the Kibana certificate is in /etc/elasticsearch/certs/watcher-truststore.jks.

which certificate do I must aggregate? I also have an ssl.keystore.path configured already.

You need the CA for the http endpoint, that you used to create the http.p12, you used a CA to create that... you need to find that, and put that in the

xpack.http.ssl.certificate_authorities: ["/path/to/http_ca.crt"]

BTW Screenshots of text is discouraged, hard to read, can not be searched, debug etc...


I dont have access to copy the text from VPN (security policies).

There is no problem if my parameters are with security word?
Because you used xpack.http.ssl.certificate_authorities.


Apologies I do not understand you need to set the settings... I do not know what security word you are referring too...

You need to do 1 of the 2 settings I showed above

I mean:
I must add to elasticsearch.yml

xpack.http.ssl.certificate_authorities: ["/path/to/http_ca.crt"]
or ["/path/to/http_ca.crt"]

Please look at the document I provided ... yes there are many similar settings...

From the docs HERE that refer to Watcher

You can see the correct settings....


(Static) List of paths to PEM encoded certificate files that should be trusted.

This setting and ssl.truststore.path cannot be used at the same time.

I understand, but in my case I already have a truststore configured here.


Yes but that is not the path the watcher component will access...

And what you circled above is the transport endpoint ... nothing to do with watcher http input.. nothing at all... and nothing to do with the http endpoint which is the bottom line in your picture...

None of those settings in your screen shot have anything to do with the watcher http input setting...

I think we have provided the correct settings...

If you get it to work otherwise, please let us know...

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.