Elasticsearch Throws Certificate Error

[leshibily]

Hello,

When I follow the Letsencrypt Walthrough document, elasticsearch throws the following error.

elasticsearch | {"type": "server", "timestamp": "2022-01-18T03:03:17,545Z", "level": "WARN", "component": "o.e.x.s.t.n.SecurityNetty4HttpServerTransport", "cluster.name": "elk-tls-cluster", "node.name": "elasticsearch", "message": "http client did not trust this server's certificate, closing connection Netty4HttpChannel{localAddress=/172.19.0.2:9200, remoteAddress=/172.19.0.5:51048}", "cluster.uuid": "DsG__rYzS4GNZ69miZs_Fg", "node.id": "l9xk4d7BSECjE9QYPfDOEg" }

Elasticsearch doesn't come up at all and hence when I access https://kibana.example.com, I see Kibana server is not ready yet.

Logs from kibana container:

kibana | {"type":"log","@timestamp":"2022-01-18T03:02:57+00:00","tags":["error","savedobjects-service"],"pid":1220,"message":"Unable to retrieve version information from Elasticsearch nodes. unable to verify the first certificate"}

I am not sure why I need to run docker-compose -f docker-compose.setup.yml run --rm certs multiple times, that is confusing.

.env

ELK_VERSION=7.15.0
ELASTIC_USERNAME=elastic
ELASTIC_PASSWORD=some_password
KIBANA_URL=https://0.0.0.0:5601

# Configuration Variables
ELASTICSEARCH_HEAP=2g
LOGSTASH_HEAP=1g
PACKETBEAT_HEAP=256m
FILEBEAT_HEAP=256m
METRICBEAT_HEAP=256m
XPACK_ENCRYPTION_KEY=somesuperlongstringlikethisoneMQBbtsynu4bV2uxLy

# Self signed TLS certificates
CA_PASSWORD=some_password
CA_DAYS=3650
ELASTIC_DIR=/usr/share/elasticsearch
LOGSTASH_DIR=/usr/share/logstash
KIBANA_DIR=/usr/share/kibana
PACKETBEAT_DIR=/usr/share/packetbeat
FILEBEAT_DIR=/usr/share/filebeat
METRICBEAT_DIR=/usr/share/metricbeat

# Letsencrypt certificates
## Setting STAGING to true means it will generate self-signed certificates
## Setting STAGING to false means it will generate letsencrypt certificates
STAGING=false
#STAGING=true

# swag Configuration
DOMAIN=example.com
SUBDOMAIN=kibana
#SUBFOLDER=kibana
EMAIL=email@example.com
TIMEZONE=America/Chicago

docker version

Client: Docker Engine - Community
 Version:           20.10.12
 API version:       1.41
 Go version:        go1.16.12
 Git commit:        e91ed57
 Built:             Mon Dec 13 11:45:41 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.12
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.12
  Git commit:       459d0df
  Built:            Mon Dec 13 11:44:05 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.12
  GitCommit:        7b11cfaabd73bb80907dd23182b9347b4245eb5d
 runc:
  Version:          1.0.2
  GitCommit:        v1.0.2-0-g52b36a2
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker-compose version

docker-compose version 1.29.2, build 5becea4c
docker-py version: 5.0.0
CPython version: 3.7.10
OpenSSL version: OpenSSL 1.1.0l  10 Sep 2019

elk-tls-docker version - 1.3.0

I tried with both options SUBDOMAIN and SUBFOLDER, only to end up in similar errors. Any help here would be appreciated.

[TEKTEK2113]

@leshibily Did you ever find a solution? I am having the same problem.

[leshibily]

The issue was that self-signed certificate authority was replaced by the let's encrypt in the setup.sh script. I commented the replacing part (line 129-141) and re-run the steps mentioned in the official doc and everything worked like charm.