Watcher Reports Fail after Certificate Installation

I have a Elasticsearch / Kibana installation at 5.4.1. We had a Watcher report configured to generate a PDF report on a daily basis that worked well until installing a certificate into Elasticsearch (to configure monitoring to an external node). When the report runs now, I get a failed execution with this logged:
"reason": " PKIX path building failed: unable to find valid certification path to requested target"
I assume that this is related to the certificate installed in Elasticsearch, which is an internal cert, signed by our in-house CA. I've tried adding the cert to the Java keystore (in the JDK), but I'm still getting the same error. What else should I be trying?

My guess is that you configured xpack.ssl.certificate_authorities or xpack.ssl.truststore.path to include this certificate.
When you do that you stop trusting the default JRE ca certs, and only trust the certs that you explicitly listed.

If that's the case, then your options are:

  • Add the corporate CA into your xpack.ssl.certificate_authorities / xpack.ssl.truststore.path
  • Change your ssl config, so that the monitoring cert is configured directly within the monitoring exporter and leave xpack.ssl.* unset.

I have the same issue with our internal cert, signed by our in-house CA. I have tried a lot of solutions but no success

I have the corporate CA in my elasticsearch.yml

xpack.ssl.keystore.path: "/opt/kibana-45/config/Certificats/watcher-truststore.jks"
xpack.ssl.keystore.password: "changeit"

You're configuring the keystore, when you should be setting the truststore.

The xpack.ssl.keystore.path provides the private keys for this node to identify itself to other servers.
The xpack.ssl.truststore.path needs to have the certificates for trusted servers / CAs

thanks but I have tested all configuration combinations and nothing works if signed by in-house CA

I finally go this working - TimV's comment put me on the right path but I still needed some direct advice from Elastic support for this. What needed to be done, after creating a proper certificate for the server was:

  1. Use java "keytool" to create a .jks keystore file (with password), based on a .CER export of the server's certificate.
  2. Put the .jks file I created into the elasticsearch.yml file as well as the password
    xpack.http.ssl.truststore.path: <absolute path to .jks file>
    xpack.http.ssl.truststore.password: <password only, no quotes>
  3. Restart elasticsearch to apply the configuration.

More info here:

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.