Closed PetrusZ closed 1 year ago
Hi,
Could you add more details on how you created the certificate?
The certificate is auto generated by bitnami/elasticsearch, I use those values in bitnami/elasticsearch:
global:
kibanaEnabled: false
security:
enabled: true
existingSecret: "elastic-security"
tls:
autoGenerated: true
ingress:
enabled: true
hostname: elastic.codeplayer.org
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
tls: true
ingressClassName: "nginx"
It seems there is something missing in the certificate, the intermediate issue or something like that. Have you tried relaxing the verification mode?
## @param elasticsearch.security.tls.verificationMode Verification mode for SSL communications.
## Supported values: full, certificate, none.
## Ref: https://www.elastic.co/guide/en/kibana/7.x/settings.html#elasticsearch-ssl-verificationmode
verificationMode: "full"
Hi @fmulero, even I set verificationMode to none, I still got the same error.
Hi Petrus I've tested 2 different scenarios with autogenerated certs:
For the first scenario I deployed elasticsearch:
$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install elasticsearch bitnami/elasticsearch -f elasticsearch.yml
$ helm install kibana bitnami/kibana -f kibana.yml
This is the content of the elasticsearch.yml
file (the secret is included to facilitate testing):
global:
kibanaEnabled: false
security:
enabled: true
existingSecret: elastic-security
tls:
autoGenerated: true
restEncryption: true
extraDeploy:
- kind: Secret
apiVersion: v1
type: Opaque
metadata:
name: elastic-security
namespace: default
data:
elasticsearch-password: SGVsbG9Xb3JsZCE=
And this is the configuration for kibana. Here I have to configure kibana to trust on the certificate created by the elasticsearch deployment:
metrics:
enabled: true
serviceMonitor:
enabled: true
image:
debug: true
tls:
enabled: true
autoGenerated: true
elasticsearch:
hosts:
- elasticsearch
port: 9200
security:
auth:
enabled: true
existingSecret: kibana-secret
createSystemUser: true
elasticsearchPasswordSecret: elastic-security
tls:
enabled: true
existingSecret: elasticsearch-coordinating-crt
usePemCerts: true
extraDeploy:
- kind: Secret
apiVersion: v1
type: Opaque
metadata:
name: kibana-secret
namespace: default
data:
kibana-password: SGVsbG9Xb3JsZCE=
In this scenario I've deployed elasticsearch and kibana enabling the ingress for both.
$ helm install elasticsearch bitnami/elasticsearch -f elasticsearch-ingress.yml
$ helm install kibana bitnami/kibana -f kibana-ingress.yml
This is the content of the elasticsearch-ingress.yml
file:
global:
kibanaEnabled: false
security:
enabled: true
existingSecret: "elastic-security"
tls:
autoGenerated: true
restEncryption: true
ingress:
enabled: true
hostname: elastic.codeplayer.org
tls: true
selfSigned: true
ingressClassName: "nginx"
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
extraDeploy:
- kind: Secret
apiVersion: v1
type: Opaque
metadata:
name: elastic-security
namespace: default
data:
elasticsearch-password: SGVsbG9Xb3JsZCE=
And this other code block has the content of kibana-ingress.yml
file:
metrics:
enabled: true
serviceMonitor:
enabled: true
image:
debug: true
ingress:
enabled: true
hostname: kibana.codeplayer.org
tls: true
selfSigned: true
ingressClassName: "nginx"
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
tls:
enabled: true
autoGenerated: true
elasticsearch:
hosts:
- elastic.codeplayer.org
port: 443
security:
auth:
enabled: true
existingSecret: "kibana-secret"
createSystemUser: true
elasticsearchPasswordSecret: "elastic-security"
tls:
enabled: true
existingSecret: "elastic.codeplayer.org-tls"
usePemCerts: true
extraDeploy:
- kind: Secret
apiVersion: v1
type: Opaque
metadata:
name: kibana-secret
namespace: default
data:
kibana-password: SGVsbG9Xb3JsZCE=
In this scenario I've configured kibana to use the ingress endpoint (elastic.codeplayer.org:443) instead of the service (elasticsearch:9200) and now kibana must trust on the certificate exposed by the ingress
.
OMG, I forgot I should use the certificate exposed by the ingress when I use t he ingress endpoint as host. I'm stupid.
Thank you very much fmulero!
Name and Version
bitnami/kibana 10.2.5
What steps will reproduce the bug?
helm install -n database --create-namespace -f kibana.values.yaml kibana bitnami/kibana
Unable to retrieve version information from Elasticsearch nodes. unable to get local issuer certificate
Are you using any custom parameters or values?
What is the expected behavior?
No response
What do you see instead?
Additional information
No response