search

xco-sk / eck-custom-resources

Kubernetes operator for Indices, Index Templates, Roles, Users and other Elasticsearch and Kibana related resources.
Apache License 2.0
36 stars 8 forks source link

Kibana Instance certificate issue - x509: certificate signed by unknown authority #51

Closed kemil-sakhareliya closed 1 year ago

kemil-sakhareliya commented 1 year ago

Hi!

I am facing this issue x509: certificate signed by unknown authority while adding dataview object

we use elastic cloud and we have https endpoint for Kibana. I downloaded the certificate from ElasticSearch --> deployment --> security --> CA certificates

I added the certificate in a secret inside kubernetes and added that secret name and key in the kibana instance.

Kibana Instance:

apiVersion: kibana.eck.github.com/v1alpha1
kind: KibanaInstance
metadata:
  name: kibana-instance
  namespace: elk-beats
spec:
  enabled: true
  url: https://..
  certificate:
    secretName: eck-kibana-instance-crt
    certificateKey: ca.crt
  authentication:
    usernamePasswordSecret:
      secretName: eck-operator-secret
      userName: username

DataView:

apiVersion: kibana.eck.github.com/v1alpha1
kind: DataView
metadata:
  name: test-dataview
  namespace: elk-beats
spec:
  targetInstance:
    name: kibana-instance
  body: |
    {
      "title": "test-dataview*",
      "timeFieldName": "@timestamp",
    }

Error: 1.681221625623375e+09 DEBUG events Warning {"object": {"kind":"DataView","namespace":"elk","name":"test-dataview","uid":"83e90","apiVersion":"kibana.eck.github.com/v1alpha1","resourceVersion":"374169829"}, "reason": "Failed to create/update", "message": "Failed to create/update kibana.eck.github.com/v1alpha1/DataView test-dataview: Get \"https://dgdg": x509: certificate signed by unknown authority"}

OR is there any way I can disable ssl verification as we can do with filebeat like for ex: ssl.verification_mode: none

Please let me know what is going wrong.

Thanks.

xco-sk commented 1 year ago

Hello @kemil-sakhareliya, it seems like the certificate you are providing is not the one used by Kibana API, therefore the error with an unknown authority. You can try to check and compare the certificate you stored in Secret with certificates exported from your Kibana using the openssl:

openssl s_client -connect <kibana host>:<kibana port> -showcerts

The output will contain the whole certificate chain so at least one of the certificates from the chain (preferably the root) should be equal to the one you've got in your secret. If not, then you can use the exported certificate in your Secret.

kemil-sakhareliya commented 1 year ago

@xco-sk Thanks worked.