@JiiHoo / @nicholson could you please post some parts of kibana.yml and elasticsearch.yml config files?
I’m trying to update from 1.9 to 1.11 but with the same configuration it says in browser:
{"statusCode":403,"error":"Forbidden","message":"Request failed authentication."}
When kibana is starting I can view this in logs:
{"type":"log","@timestamp":"2021-02-02T12:09:20Z","tags":["error","plugins","opendistroSecurity"],
"pid":1,"message":"{ Error: unable to verify the first certificate\n at TLSSocket.onConnectSecure (_tls_wrap.js:1088:34)\n
at TLSSocket.emit (events.js:198:13)\n at TLSSocket._finishInit (_tls_wrap.js:666:8)\n code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',\n
trace:\n [ { method: 'GET',\n url:\n 'https://sso.intranet.kuberme.aws/auth/realms/master/.well-known/openid-configuration' } ],\n
isBoom: true,\n isServer: true,\n data: null,\n output:\n { statusCode: 502,\n payload:\n { message:\n
'Client request error: unable to verify the first certificate',\n statusCode: 502,\n error: 'Bad Gateway' },\n headers: {} } }"}
But I don’t know if it’s an error on not because I can use curl with the selfsigned cert to keycloak and it responds correctly.
My kibana.yml security info is:
opendistro_security.auth.type: “openid”
opendistro_security.openid.connect_url: “https://{SSO_DOMAIN}/auth/realms/master/.well-known/openid-configuration”
opendistro_security.openid.base_redirect_url: “https://{KIBANA_DOMAIN}/”
opendistro_security.openid.client_id: “kuberme-kibana”
opendistro_security.openid.client_secret: “secret-id-value”
opendistro_security.openid.root_ca: “/usr/share/kibana/config/root-ca.pem”
opendistro_security.allow_client_certificates: “true”
Where kibana_domain and sso_domain are the hostnames of my kibana and keycloak. HAve you got some addition params?
Thanks in advance