Filebeat Elasticsearch 'Unknown certificate"

[Angus Woodbury]

Hello,

I have a fresh install of the All in One variety.  Made a couple of certs from my own CA and distributed those same 2 certs to Filebeat/Elasticsearch/Kibana and everything looked good.  Access to web interface was secure and I added a few agents.  I noticed that elasticsearch and filebeat were not communicating.  Testing the output for filebeat gave me "remote error: tls: unknown certificate".  When I run curl on the host wazuh.local.lan:9200, it successfully runs.  When I run curl -v --cert /path/to/cert.pem --key /path/to/key.pem https://wazuh.local.lan:9200 it give me "unknown certificate", but if I run that exact command without the port number (eg curl -v --cert /path/to/cert.pem --key /path/to/key.pem https://wazuh.local.lan) it is successful.

I figure that I am missing something simple here.  I have verified paths and config files until my eyes were watering.  I cant help but wonder if there is something specific that I needed to create my certs, or possibly some other configuration file that could help me (instances.yml?).  Any advice or direction would be great.

Thanks!

[Aditya Sharma]

Hi, Thanks for using Wazuh!

I guess somewhere you have missed updating the correct certificates, to check if are they correct or not please check this out: https://documentation.wazuh.com/current/user-manual/certificates.html

To check the instances.yml is correct or not, please check this out here: https://documentation.wazuh.com/current/user-manual/certificates.html

To check the Installation of every single component check this out here also: https://documentation.wazuh.com/current/installation-guide/index.html

I hope this helps you!

Regards
Aditya Sharma

[Angus Woodbury]

I mean, I have read all of those documents many times over and tried to interpret them as best as I could.  Is this the best answer as to what I did wrong or whats specifically wrong?  RTFM?  That took days?  I have the common names and node names lined up and the IPs match whats in instances.yml.  Is there something else there thats particularly important?  I guess you're just telling me I'm not smart enough to figure out how certs work for this particular product because documentation is perfect.  Noted.  Have a good day.

[Angus Woodbury]

So I was irritated into solving this issue yesterday.  Here is what I have learned about my problem that is not in documentation.

This error seems to only be related to the admin certs.  I have broken my cert chain in nearly every way while troubleshooting, and filebeat always give better errors than just "unknown certificate" if the server chains are broken.  These certs were also clearly never meant to be replaced after generation, even though you'll have no problem doing so with the server certs (as long as you follow your instances.yml).  After inspecting a freshly generated admin cert and comparing it to the one from my CA it's clear that there were differences.

Once I figured out what my problem was, this support person's information was very valuable despite the fact that it was not directly related to my problem: https://groups.google.com/g/wazuh/c/Yolmu35Qp_g

The product itself seems very powerful and I look forward to seeing what I can do with it.