Wazuh Dashboard Not Starting

771 views
Skip to first unread message

Cory

unread,
Jul 18, 2024, 9:38:58 AM7/18/24
to Wazuh | Mailing List

I have a Wazuh server (all three parts of it) installed on a VM running Ubuntu 22.04. I believe the installation is over a year old at this point, but the wazuh-dashboard process has recently stopped running… After looking at some logs, I believe this last time the wazuh-dashboard service ran successfully was possibly on 06/12/2024.

I found this issue last week. I have monitoring on this server that alerts me to when updates need to be installed and I generally take care of them quickly after the alerts show up, so the server should be up to date on everything.

I’m thinking this could be related to SSL certs expiring or something based on what I’ve been able to see, but I’m really not sure. I’ve tried some commands from the install documentation for Wazuh that I thought would allow me to replace the certs, but either I messed that up or it didn’t work.

Anyway, please see the attached log and let me know how else I may help you to help me resolve this. Any help you can provide is greatly appreciated!


journalctl-wazuh-dashboard_2024-07-17_only.txt

Julio Gasco

unread,
Jul 18, 2024, 2:31:20 PM7/18/24
to Wazuh | Mailing List

Hi Cory,
Per the shared logs the error seems to be in the Certificate folder / files permission.
Can you please check the Folder is owned by Wazuh-dashboard both user and group and has 500 permissions, as well files should have 400 permissions, you can set it up the following way if not:
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*

Remember that certificates need to have those permissions not more. Please try this and restart your wazuh-dashboard and let's see if the error persist or share any other error that you might be having and we can continue helping you.
Regards!

Cory

unread,
Jul 18, 2024, 3:58:49 PM7/18/24
to Wazuh | Mailing List
I've made some progress today, though I couldn't tell you now exactly what I did to get it as far as I have.  I believe to get it to where I'm at, I replaced the certs and imported the ca cert file into the certificate store on the server.

Now, I have wazuh-dashboard running, however the web interface shows " Wazuh dashboard server is not ready yet"

I believe the issue now lies with filebeat and the certificates, but I'm not sure where to go next.  Does the below help any?

sudo filebeat test output
elasticsearch: https://<IP-address>:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses:  <IP-address>
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... ERROR x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "Wazuh")

Julio Gasco

unread,
Jul 22, 2024, 5:03:28 PM7/22/24
to Wazuh | Mailing List
Hi Cory,
I think the problem is you replaced only a part of teh certs, and they should be replaced all with the same root-ca. Otherwise they won't recognize each other.

You can create the certificates following the next document:

Once you have them I will give you the steps for each of the certificates deployment depending on the component

Wazuh-Indexer
Wazuh-Manager (filebeat)

If you already have a set of certificates for all components you can do those, just make sure to replace them all from the same set (Which use the same root-ca)

Let me now if this helps!

Cory

unread,
Jul 26, 2024, 9:44:52 AM7/26/24
to Wazuh | Mailing List
Thank you much for your help! After doing what you suggested, I was still getting a dashboard not ready message. So, I did a bit more looking around and found this https://github.com/wazuh/wazuh/issues/19337 issue. After changing the localhost to the actual IP, it is now happy.

Thanks again!!

Have a blessed weekend!

Thank You,
Cory
Reply all
Reply to author
Forward
0 new messages