Watcher: HTTP input - verify certificate


I'm creating a watcher to check some values with an API Restful. It is failing with this error:

[2018-02-22T19:07:00,941][ERROR][o.e.x.w.i.h.ExecutableHttpInput] [kibana] failed to execute [http] input for watch [inlined], reason [ PKIX path building failed: unable to find valid certification path to requested target]

The API is listening in HTTPS but it is self-signed. I don't find any attribute to skip the certificate verification: HTTP Input | X-Pack for the Elastic Stack [6.2] | Elastic.

Any recommendations?.


1 Like

You might get past this by installing your self-signed certs into your machine's certificate store. I have a test script that does this (also disables ipv6 to simplify things a bit for my case);

And I think you will have to use https if you're not already.

case $VMOS in
  cp $QADIR/../certs/ca/ca.crt /usr/local/share/ca-certificates/
  cp $QADIR/../certs/elasticsearch/elasticsearch.crt /usr/local/share/ca-certificates/
  cp $QADIR/../certs/kibana/kibana.crt /usr/local/share/ca-certificates/

  echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
  echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
  echo "net.ipv6.conf.lo.disable_ipv6 = 1" >> /etc/sysctl.conf
  sysctl -p
  cat /proc/sys/net/ipv6/conf/all/disable_ipv6
  # do we need sudo here?
  # sudo yum install -y ca-certificates
  sudo update-ca-trust force-enable
  cp $QADIR/../certs/ca/ca.crt /etc/pki/ca-trust/source/anchors/
  cp $QADIR/../certs/elasticsearch/elasticsearch.crt /etc/pki/ca-trust/source/anchors/
  cp $QADIR/../certs/kibana/kibana.crt /etc/pki/ca-trust/source/anchors/
  sudo update-ca-trust extract
  certutil -addstore root $QADIR/../certs/ca/ca.crt

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.