I have a k8s cluster configured with calico as networking system. I'm running slightly customized versions of helm elastic/elasticsearch and elastic/kibana with security enabled. For security, I use Let's Encrypt certificates. When starting kibana, the connection to the elasticsearch instance fails with this error

{"type":"log","@timestamp":"2021-06-01T13:09:55+00:00","tags":["debug","elasticsearch","query","data"],"pid":952,"message":"[ConnectionError]: unable to get issuer certificate"}

I can resolve this problem, by disabling certificate verification in kibana. Can anyone see, why its failing?

keystore creation

cat cert1.pem > store.pem
cat privkey1.pem >> store.pem
cat chain1.pem >> store.pem
cat fullchain1.pem >> store.pem
openssl pkcs12 -export -in store.pem -out keystore.pkcs12


replicas: 1
minimumMasterNodes: 1

   elasticsearch.yml: |
     xpack.security.transport.ssl.enabled: true
     xpack.security.transport.ssl.verification_mode: certificate
     xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs-gen/keystore.pkcs12
     xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs-gen/keystore.pkcs12
     xpack.security.http.ssl.enabled: true
     xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs-gen/keystore.pkcs12
     xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs-gen/keystore.pkcs12
     xpack.security.enabled: true
        name: elastic-credentials
        key: password
        name: elastic-credentials
        key: username
  - name: elastic-certificates
    secretName: elastic-certificates
    path: /usr/share/elasticsearch/config/certs-gen/
protocol: https
  labels: {}
  labelsHeadless: {}
  type: NodePort
  nodePort: 30001
  annotations: {}
  httpPortName: http
  transportPortName: transport
  loadBalancerIP: ""
  loadBalancerSourceRanges: []
  externalTrafficPolicy: ""
clusterHealthCheckParams: "wait_for_status=yellow&timeout=1s"


elasticsearchHosts: "redacted its a TLD with appropriate port"

  - name: "NODE_OPTIONS"
    value: "--max-old-space-size=1800"
        name: elastic-credentials
        key: username
        name: elastic-credentials
        key: password
        name: kibana
        key: encryptionkey
    value: "true"

  - name: elastic-certificates
    secretName: elastic-certificates
    path: /usr/share/kibana/config/certs-gen/

  kibana.yml: |
      enabled: true
      key: /usr/share/kibana/config/certs-gen/privkey1.pem
      certificate: /usr/share/kibana/config/certs-gen/fullchain1.pem
      certificateAuthorities: /usr/share/kibana/config/certs-gen/fullchain1.pem
      verificationMode: certificate
    xpack.reporting.encryptionKey: ${KIBANA_ENCRYPTION_KEY}
    xpack.security.encryptionKey: ${KIBANA_ENCRYPTION_KEY}
    xpack.encryptedSavedObjects.encryptionKey: ${KIBANA_ENCRYPTION_KEY}

protocol: https

  type: NodePort
  loadBalancerIP: ""
  port: 5601
  nodePort: 30002
  labels: {}
  annotations: {}
    # cloud.google.com/load-balancer-type: "Internal"
    # service.beta.kubernetes.io/aws-load-balancer-internal:
    # service.beta.kubernetes.io/azure-load-balancer-internal: "true"
    # service.beta.kubernetes.io/openstack-internal-load-balancer: "true"
    # service.beta.kubernetes.io/cce-load-balancer-internal-vpc: "true"
  loadBalancerSourceRanges: []
  httpPortName: HTTP

kubectl get pv,pvc,nodes,pods,svc

NAME                        CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM                                                 STORAGECLASS   REASON   AGE
persistentvolume/elk-data   30Gi       RWO            Retain           Bound    default/elasticsearch-master-elasticsearch-master-0                           40m

NAME                                                                STATUS   VOLUME     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
persistentvolumeclaim/elasticsearch-master-elasticsearch-master-0   Bound    elk-data   30Gi       RWO                           32m

NAME                 STATUS   ROLES                  AGE   VERSION
node/kubeloadbalan   Ready    control-plane,master   28h   v1.21.1

NAME                                    READY   STATUS    RESTARTS   AGE
pod/elasticsearch-master-0              1/1     Running   0          13m
pod/kibana-kibana-7fdbd7c66d-bg5xb      0/1     Running   0          7m1s
pod/nginx-deployment-868c6bb874-tsbg4   1/1     Running   0          40m

NAME                                    TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                         AGE
service/elasticsearch-master            NodePort     <none>        9200:30001/TCP,9300:32185/TCP   13m
service/elasticsearch-master-headless   ClusterIP   None            <none>        9200/TCP,9300/TCP               13m
service/kibana-kibana                   NodePort    <none>        5601:30002/TCP                  7m1s
service/kubernetes                      ClusterIP       <none>        443/TCP                         28h
service/nginx-service                   NodePort   <none>        80:30000/TCP                    40m

From inside the container:

kubectl exec pod/kibana-kibana-7fdbd7c66d-bg5xb -it bash

curl -k -u redacted:redacted https://redacted:30001

  "name" : "elasticsearch-master-0",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "iXEuqB7iQ9abptIZ_Gp1yg",
  "version" : {
    "number" : "7.13.0",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "5ca8591c6fcdb1260ce95b08a8e023559635c6f3",
    "build_date" : "2021-05-19T22:22:26.081971330Z",
    "build_snapshot" : false,
    "lucene_version" : "8.8.2",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  "tagline" : "You Know, for Search"

curl  -u redacted:redacted https://redacted:30001
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

That shows, that even curl cannot verify legitimacy from inside the container. That might indicate that the problem is also located on elasticsearch. The full Kibana log is a complete mess due to increased verbosity. I can post it on request.

I sank days into that. I'm burnt out and don't know where to continue.

  • I don't see anywhere that you have provided the CA certificates? – Michael Hampton Jun 01 '21 at 14:20
  • @MichaelHampton Hi! In values_kibana.yaml, CA should be provided though "certificateAuthorities: /usr/share/kibana/config/certs-gen/fullchain1.pem" doesn't it? In values_elastic, CA should be provided through the keystore, in which I added fullchain1.pem. Is this wrong? – I. Shm Jun 01 '21 at 14:28
  • There are no CA certificates in fullchain.pem! This is a common misconception. The trusted CA certificates for Internet sites are generally in a bundle included with your operating system. Some containers omit this bundle to save space. We can tell that it is missing because curl did not work. And of course certificateAuthorities: exists to provide a private CA certificate, for networks not meant to be accessible from the Internet. – Michael Hampton Jun 01 '21 at 14:40
  • @MichaelHampton I see. Indeed I have a ca-bundle.crt and ca-bundle.trust.crt in /etc/ssl/certs, however, what you've written indicates, that the Let's Encrypt CA is missing in that bundle. Is it possible for me to add it via the certificateAuthorities line in values_kibana.yaml? Where do I get the right file? There are quite many CA's on the Let's Encrypt page. – I. Shm Jun 01 '21 at 14:51
  • Well it's very odd for your CA bundle to not have the right CA certificates. They should be there on any currently supported container image. Are you using a very old (years) or unsupported base image? I suppose you can manually find the CA certificate and add it to the bundle, but I don't have the process for that offhand, and it wouldn't solve the underlying problem anyway, just make it a problem for future you. – Michael Hampton Jun 01 '21 at 14:57
  • The image I'm using is referenced through https://github.com/elastic/helm-charts/tree/master/kibana#requirements which states: "This Helm chart is a lightweight way to configure and run our official Kibana Docker image.". Should function right out of the box and be up to date. Do you think this could be a bug? – I. Shm Jun 01 '21 at 15:07
  • Who knows? Supposedly Kibana's own images are built on centos:7 but who knows if they are up to date. – Michael Hampton Jun 01 '21 at 15:27
  • By just pulling the kibana image with "sudo docker run -d docker.elastic.co/kibana/kibana:7.13.0" and curling from within the container: IT WORKS. It should not be a image-related problem. – I. Shm Jun 01 '21 at 15:47
  • Well that's interesting. It suggests that something you have done to customize the image has caused the problem. What that might be isn't really obvious to me though. – Michael Hampton Jun 01 '21 at 15:48
  • You will not believe it. Adding a wrong CA actually caused the problem. You did help me to solve the problem indirectly. Thank you sir, I wish you the best. – I. Shm Jun 01 '21 at 15:50

Through discussing the possible root cause of the problem (missing CA) in the comments, I found the solution myself. The issue is caused by adding a wrong CA with

  certificateAuthorities: /usr/share/kibana/config/certs-gen/fullchain1.pem
  verificationMode: certificate

Deleting those entries resolves the problem.

