SSLHandshakeException certificate_unknown


When I try to integrate Search Guard with Elasticsearch I keep getting the following error Received fatal alert: certificate_unknown

I use elasticsearch-7.6.1 and search-guard-7-7.6.1-40.0.0

Certificates are generated by download the certificates zip file (, unpacking it and placing all files in the \elasticsearch-7.6.1-windows-x86_64\elasticsearch-7.6.1\config directory

My elasticsearch.yml:

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
  - CN=kirk,OU=client,O=client,L=test, C=de
searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: ["SGS_ALL_ACCESS"]
cluster.routing.allocation.disk.threshold_enabled: false searchguard_demo
node.max_local_storage_nodes: 3 false

Am I not generating the certificate correctly? what am I doing wrong? Can anyone help me fix this problem.

Thanks in advance,

When did you get the error, after you started Kibana? If yes, did you setup SSL/TLS in kibana.yml? Here is the guide Installing the Search Guard Kibana Plugin | Security for Elasticsearch | Search Guard

At first glance the config looks fine to me. Can you please post the complete stack trace of the SSL exception from the ES logs? Thx!

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.