Front end SSL encryption - certificate unknown errors


I’ve followed the SSL encryption configuration information and I am still having issues. I have a GUI which needs to connect to the External API. I am using ROR 1.35 free with ELK stack 7.11.1 on a Windows 2016 server.

What I have done/tried:

  • Added http.type: ssl_netty4 to the elasticsearch.yml file.
  • Created the ssl: section with a keystore and truststore for the readonlyrest.yml file.
  • Set client_authentication: true
  • Allow requests from listed machines using hosts (GUI machine is on the list.)
  • Added the GUI certificate to the truststore, the keystore, the Java cacerts truststore, and the machine certificate store (Trusted Root Certification Authorities, and under personal)

All nodes are running ROR 1.35 however only this node is being set up for SSL connections (External API only). I’ll also need to connect a Kibana instance to this after I figure out the GUI issue.

Any ideas, or things to try I might have missed?



Hi @JimP, can you show us the resulting YAML?

Hey, here is the readonlyrest yaml: I do have xpack security set for false in the elastic yaml.

response_if_req_forbidden: This request has been refused because it originated from an unknown or untrusted source.

  keystore_file: "key.jks"
  keystore_pass: pass
  key_pass: pass
  truststore_file: "trust.jks"
  truststore_pass: pass
  client_authentication: true


- name: known-es-server-list
  hosts: ["xx.xx.xx.xx", "xx.xx.xx.xx"]
  verbosity: error

- name: gui
  x_forwarded_for: ["xx.xx.xx.xx"]
  actions: ["indices:data/read/*","indices:admin/aliases/get"]
  indices: ["*"]
  verbosity: error

- name: test
  x_forwarded_for: ["xx.xx.xx.xx"]
  indices: ["*"]
  verbosity: error

- name: Kibana
  type: allow
  auth_key: kibana:pass

- name: "::user::"
  auth_key: user:pass
  kibana_access: admin
  verbosity: error

Seems fine, what is the error on the client side? Any SSL debug information available when the connection fails?

Logs don’t help much = net::ERR_CERT_AUTHORITY_INVALID

Not using a self signed certificate. Going back to double check if there are any issues with the certificate.

Thanks for verifying YAML.

1 Like

Just a quick question, is the SSL connection to the readonlyrest over elasticsearch instance a one-to-one connection? Do you know if windows certificate trusts interfere with the connection?


Ok, ERR_CERT_AUTHORITY_INVALID is a specific error.

Elasticsearch is a Java application, maybe the Java certification authority list needs to be updated? By the way, ES ships with its own platform dependant “jdk” directory.

Thanks. I am actually using the jdk shipped with ES. I’ll check the Java cert authority list.

Sorry for any silly questions, still learning SSl stuff, never had to deal with it before.

No problem, SSL is a valley of nails, and nobody is wearing shoes.