Something wrong with certificates? (Kibana plugin)

Search Guard
1

Hello,

the needed info:

Versions: Elasticsearch & Kibana in 6.3.2 , Search Guard in 6.2.3-22.0

Modules: None

Java: 1.8.0.0_161

OS: CentOs 7.4.1708

sg_config.yml: unchanged

Plugins: just searchguard for elasticsearch and kibana

I finally went from the demo to the production setup, I have server certificates and a root certificate and everything is signed properly. But for some reason, whenever I try to enable the ssl verification in kibana, I get stuck with the following message:

Mai 09 13:31:38 dns-name kibana[12874]: {“type”:“log”,“@timestamp”:“2018-05-09T11:31:38Z”,“tags”:[“error”,“elasticsearch”,“admin”],“pid”:12874,“message”:“Request error, retrying\nHEAD https://10.81.16.101:9200/ => unable to get issuer certificate”}

Mai 09 13:31:38 dns-name kibana[12874]: {“type”:“log”,“@timestamp”:“2018-05-09T11:31:38Z”,“tags”:[“warning”,“elasticsearch”,“admin”],“pid”:12874,“message”:“Unable to revive connection: https://10.81.16.101:9200/”}

Mai 09 13:31:38 dns-name kibana[12874]: {“type”:“log”,“@timestamp”:“2018-05-09T11:31:38Z”,“tags”:[“warning”,“elasticsearch”,“admin”],“pid”:12874,“message”:“No living connections”}

Mai 09 13:31:38 dns-name kibana[12874]: {“type”:“log”,“@timestamp”:“2018-05-09T11:31:38Z”,“tags”:[“status”,“plugin:elasticsearch@6.2.3”,“error”],“pid”:12874,“state”:“red”,“message”:“Status changed from yellow to red - Unable to connect to Elasticsearch at https://10.81.16.101:9200.”,“prevState”:“yellow”,“prevMsg”:“Waiting for Elasticsearch”}

Mai 09 13:31:41 dns-name kibana[12874]: {“type”:“log”,“@timestamp”:“2018-05-09T11:31:41Z”,“tags”:[“warning”,“elasticsearch”,“admin”],“pid”:12874,“message”:“Unable to revive connection: https://10.81.16.101:9200/”}

Mai 09 13:31:41 dns-name kibana[12874]: {“type”:“log”,“@timestamp”:“2018-05-09T11:31:41Z”,“tags”:[“warning”,“elasticsearch”,“admin”],“pid”:12874,“message”:“No living connections”}

The troubleshooting website says one should wether disable the verification or install the root certificate by setting “elasticsearch.ssl.certificateAuthorities” to the right value. I already did this, and this is why I am at that point.

Had anybody some similar issue?
Does one know how to solve this or can at least point me in the right direction?

If you need further information, please ask,

Regards,

Kevin

2

“unable to get issuer certificate”: This usually means that the certificate chain is incomplete and the most likely cause is that an intermediate certificate is missing.

Let’s say you use an intermediate certificate and your trust chain looks like:

root certificate → intermediate certificate → node certificate

``

If you configure the root cert on Kibana, but ES/SG sends only the node certificate, then the intermediate one is missing and you would see the “unable to get issuer certificate” message.

Or, to put it another way: Each certificate has an issuer and in order to validate the certificate the complete chain up to the root certificate must be complete. You might want to check if the chain is complete in your case. Please see chapter “Validating the certificate chain” in the TLS troubleshooting docs:

···

On Wednesday, May 9, 2018 at 1:56:19 PM UTC+2, Kevin Just wrote:

Hello,

the needed info:

Versions: Elasticsearch & Kibana in 6.3.2 , Search Guard in 6.2.3-22.0

Modules: None

Java: 1.8.0.0_161

OS: CentOs 7.4.1708

sg_config.yml: unchanged

Plugins: just searchguard for elasticsearch and kibana

I finally went from the demo to the production setup, I have server certificates and a root certificate and everything is signed properly. But for some reason, whenever I try to enable the ssl verification in kibana, I get stuck with the following message:

Mai 09 13:31:38 dns-name kibana[12874]: {“type”:“log”,“@timestamp”:“2018-05-09T11:31:38Z”,“tags”:[“error”,“elasticsearch”,“admin”],“pid”:12874,“message”:“Request error, retrying\nHEAD https://10.81.16.101:9200/ => unable to get issuer certificate”}

Mai 09 13:31:38 dns-name kibana[12874]: {“type”:“log”,“@timestamp”:“2018-05-09T11:31:38Z”,“tags”:[“warning”,“elasticsearch”,“admin”],“pid”:12874,“message”:“Unable to revive connection: https://10.81.16.101:9200/”}

Mai 09 13:31:38 dns-name kibana[12874]: {“type”:“log”,“@timestamp”:“2018-05-09T11:31:38Z”,“tags”:[“warning”,“elasticsearch”,“admin”],“pid”:12874,“message”:“No living connections”}

Mai 09 13:31:38 dns-name kibana[12874]: {“type”:“log”,“@timestamp”:“2018-05-09T11:31:38Z”,“tags”:[“status”,“plugin:elasticsearch@6.2.3”,“error”],“pid”:12874,“state”:“red”,“message”:“Status changed from yellow to red - Unable to connect to Elasticsearch at https://10.81.16.101:9200.”,“prevState”:“yellow”,“prevMsg”:“Waiting for Elasticsearch”}

Mai 09 13:31:41 dns-name kibana[12874]: {“type”:“log”,“@timestamp”:“2018-05-09T11:31:41Z”,“tags”:[“warning”,“elasticsearch”,“admin”],“pid”:12874,“message”:“Unable to revive connection: https://10.81.16.101:9200/”}

Mai 09 13:31:41 dns-name kibana[12874]: {“type”:“log”,“@timestamp”:“2018-05-09T11:31:41Z”,“tags”:[“warning”,“elasticsearch”,“admin”],“pid”:12874,“message”:“No living connections”}

The troubleshooting website says one should wether disable the verification or install the root certificate by setting “elasticsearch.ssl.certificateAuthorities” to the right value. I already did this, and this is why I am at that point.

Had anybody some similar issue?
Does one know how to solve this or can at least point me in the right direction?

If you need further information, please ask,

Regards,

Kevin