29. 12. 2024 Andrea Mariani Log-SIEM, NetEye

How to Configure Kibana to Use a Proxy Server with a Certificate via the NODE_EXTRA_CA_CERTS Variable

When using Kibana in environments that require a proxy to reach external services, you might encounter issues with unrecognized SSL certificates. Specifically, if the proxy is exposed with its own certificate and acts as an SSL terminator, requests made by Kibana to external URLs can fail with HTTP status code errors. In this blog post, we’ll explore how to resolve this issue using the NODE_EXTRA_CA_CERTS environment variable.

The Problem

Consider a scenario where Kibana tries to access the following URL:

https://epr.elastic.co/search?package=elastic_agent&prerelease=false&kibana.version=8.10.2

If this request goes through a proxy using a custom SSL certificate, then without proper configuration you’ll encounter an error like:

Status code was 404 and not [200]: HTTP Error 404: Not Found

This error is not due to a real 404 Not Found issue but rather because Kibana doesn’t recognize the proxy’s certificate. As a result, the Node.js client built into Kibana fails to establish a secure connection.

The Solution: The NODE_EXTRA_CA_CERTS Variable

To solve this issue, you can use the NODE_EXTRA_CA_CERTS environment variable provided by Node.js. This variable allows you to specify a file containing additional CA certificates that Node.js should trust.

It’s important to note that Kibana doesn’t automatically use the system’s trusted certificate chain. Even if the proxy’s certificate is added to the operating system’s certificate store, Kibana will not recognize it unless explicitly instructed to by using the NODE_EXTRA_CA_CERTS variable.

Steps to Configure NODE_EXTRA_CA_CERTS

  1. Obtain the Proxy Certificate
    • Retrieve the proxy’s public certificate (for example, using the openssl command):
      • openssl s_client -showcerts -connect <proxy_host>:<proxy_port>
    • Add the certificate into file: /etc/pki/tls/certs/ca-bundle.crt
  2. Modify Kibana Configuration
    • Add the NODE_EXTRA_CA_CERTS environment variable to the configuration file or the startup script for Kibana.
      • vim /neteye/shared/kibana/conf/sysconfig/kibana-user-customization
    • Add the following line
      • NODE_EXTRA_CA_CERTS="/etc/pki/tls/certs/ca-bundle.crt"
  3. Restart Kibana
    • After updating the configuration, reload Systemd configuration files and restart Kibana:
      • sudo systemctl daemon-reload
      • sudo systemctl restart kibana-logmanager
  4. Verify Functionality
    • Check the Kibana logs to ensure no certificate-related errors or 404 status code errors were logged:
      • journalctl -fu kibana-logmanager

Why Use NODE_EXTRA_CA_CERTS?

Using this variable is especially useful when you want to avoid completely disabling SSL verification (e.g., with the NODE_TLS_REJECT_UNAUTHORIZED=0 option), which poses a security risk. By specifying only the necessary certificates, you ensure connections are secure while still validating certificates correctly.

Conclusion

Configuring Kibana to work with a proxy exposed via a custom certificate might seem complex, but the NODE_EXTRA_CA_CERTS variable simplifies the process significantly. By following the steps outlined above, you can ensure that Kibana securely makes external requests through your proxy.

Andrea Mariani

Andrea Mariani

Author

Andrea Mariani

Latest posts by Andrea Mariani

11. 09. 2025 NetEye, PHP, Unified Monitoring
Using Keycloak to Secure Web Pages and Virtual Directories
20. 06. 2025 NetEye, Unified Monitoring
NEP Telegram Notification
21. 03. 2025 NetEye, Unified Monitoring
How to Create a Serial Modem Emulation Service on NetEye
04. 12. 2024 Business Service Monitoring, NetEye, Unified Monitoring
Correlate Services without a Business Process
02. 07. 2024 Development, NetEye
Migrating from Network Script to NetworkManager Service
See All

Related Content

Tags: , ,

30. 09. 2025 NetEye, Unified Monitoring

Business Process Automation on NetEye

In NetEye, 'business processes' is a module used to model and monitor the business process hierarchy to obtain a high-level view of the status of critical applications. In short, they allow monitoring controls of individual components to be aggregated into Read More
30. 09. 2025 APM, Development, NetEye, Unified Monitoring

Segregating APM Data in Elastic: A Practical Guide to a Not-So-Obvious Challenge

If you've worked with Elastic APM, you're probably familiar with the APM Server: a component that collects telemetry data from APM Agents deployed across your infrastructure. But what happens when you need to segregate that data by tenant, especially in Read More
30. 06. 2025 NetEye, Unified Monitoring

Cron Job Monitoring with Tornado (Part 2)

In the first part we created hosts and services to monitor a sequence of script using Tornado. The Tornado Rule Now let's continue with the creation of a Tornado rule: open the NetEye web interface and select Tornado dashboard, then Read More
20. 06. 2025 NetEye, Unified Monitoring

NEP Telegram Notification

Some time ago, my colleague Giuseppe Di Garbo published this article on the NetEye Blog, where he explained how to integrate NetEye notifications with Telegram. It was a great starting point, and in fact many of us used it to Read More
02. 06. 2025 Development, Front-end, Icinga News, Icinga Web 2, NetEye, PHP

Content Security Policy (CSP) + NetEye 4.42

In the latest update to NetEye 4.42, we're excited to announce the introduction of support for the Content-Security-Policy (CSP) header within the Icinga Web 2 interface. This enhancement plays a crucial role in strengthening your system's defenses against cross-site scripting Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive