Watcher Webhook s_s_l_handshake_exception

I am using 7.9.1. Kibana is running in a docker container. Trying to setup a Webhook action in Watcher with the following code:

"webhook_2" : {
        "webhook" : {
          "scheme" : "https",
          "host" : "elastic.systems",
          "port" : 9200,
          "method" : "post",
          "path" : "_aliases",
          "params" : { },
          "headers" : { },
          "auth" : {
            "basic" : {
              "username" : "<username>",
              "password" : "<password>"
            }
          },
          "body" : """{"actions":[
{"add":{"index": "linux-syslog-*", "alias": "my-syslogs"}}]}"""
        }
      }

When execute the above Watcher, I got error like this:

 {
          "id" : "webhook_2",
          "type" : "webhook",
          "status" : "failure",
          "error" : {
            "root_cause" : [
              {
                "type" : "s_s_l_handshake_exception",
                "reason" : "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
              }
            ],
            "type" : "s_s_l_handshake_exception",
            "reason" : "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
            "caused_by" : {
              "type" : "validator_exception",
              "reason" : "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
              "caused_by" : {
                "type" : "sun_cert_path_builder_exception",
                "reason" : "unable to find valid certification path to requested target"
              }
            }
          }
        }

I look thru Watcher settings in Elasticsearch | Elasticsearch Guide [7.x] | Elastic and decide to add the following environments to the yml file:

      XPACK_HTTP_SSL_VERIFICATIONMODE: none
      XPACK_HTTP_SSL_CERTIFICATEAUTHORITIES: /etc/pki/tls/certs/trust-chain.pem

Then I rebuild the Kibana container with the new enviornment variables. Still got the same error.
Any suggestion on how to troubleshot? Any other settings I should change within the container?

Hey,

just to verify: Changes for watcher are usually changes for Elasticsearch, so restarting the Kibana container will not have an effect.

Ah. Thanks for the reply. Currently I have the following setting:

xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /config/certs/elastic.key
xpack.security.http.ssl.certificate: /config/certs/elastic.pem
xpack.security.http.ssl.certificate_authorities: /config/certs/es_trust_chain.pem

I am going to add the following to test it out.

xpack.http.ssl.verification_mode: certificate
xpack.http.ssl.certificate_authorities: /config/certs/es_trust_chain.pem

Question: Should I be looking into setting xpack.security.http.ssl.verification_mode and xpack.security.http.ssl.certificate_authorities as well?

worth a try to sync that configuration, as you seem to want to connect to your local system - not sure about that?

Seems like just adding the following to elasticsearch.yml and restart do the trick. Thank you.

xpack.http.ssl.certificate_authorities: /config/certs/es_trust_chain.pem
1 Like