Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL Connection to Elasticsearch got error #442

Open
kalpinus opened this issue Mar 4, 2023 · 1 comment
Open

SSL Connection to Elasticsearch got error #442

kalpinus opened this issue Mar 4, 2023 · 1 comment

Comments

@kalpinus
Copy link

kalpinus commented Mar 4, 2023
edited

SSL Connection to Elasticsearch with xpack SSL enabled got error

Request Type

Feature Request

Work Environment

Question Answer
OS version (server) Ubuntu 20.04.5 LTS 64bit
OS version (client) Windows 10
Cortex version / git hash 3.1.7-1
Package Type Binary (via apt install from cortex repository)
Browser type & version Mozilla Firefox 110.0

Problem Description

I expected cortex can communicate with elasticsearch and create index for first time. However I got following warn:

2023-03-04 02:53:50,468 [WARN] from org.elastic4play.database.SearchWithScroll in application-akka.actor.default-dispatcher-6 - Search error
com.sksamuel.elastic4s.http.JavaClientExceptionWrapper: javax.net.ssl.SSLPeerUnverifiedException: Host name 'x.x.x.x' does not match the certificate subject provided by the peer (CN=elasticsearch)
at com.sksamuel.elastic4s.http.JavaClient$$anon$1.onFailure(JavaClient.scala:70)
at org.elasticsearch.client.RestClient$FailureTrackingResponseListener.onDefinitiveFailure(RestClient.java:668)
at org.elasticsearch.client.RestClient$1.failed(RestClient.java:417)
at org.apache.http.concurrent.BasicFuture.failed(BasicFuture.java:137)
at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.executionFailed(DefaultClientExchangeHandlerImpl.java:101)
at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.failed(AbstractClientExchangeHandler.java:426)
at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.exception(HttpAsyncRequestExecutor.java:163)
at org.apache.http.impl.nio.client.InternalIODispatch.onException(InternalIODispatch.java:76)
at org.apache.http.impl.nio.client.InternalIODispatch.onException(InternalIODispatch.java:39)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.outputReady(AbstractIODispatch.java:156)
at org.apache.http.impl.nio.reactor.BaseIOReactor.writable(BaseIOReactor.java:187)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:341)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'x.x.x.x' does not match the certificate subject provided by the peer (CN=elasticsearch)
at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:209)
at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy$1.verify(SSLIOSessionStrategy.java:188)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:360)
at org.apache.http.nio.reactor.ssl.SSLIOSession.outboundTransport(SSLIOSession.java:564)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.outputReady(AbstractIODispatch.java:154)
... 7 common frames omitted
2023-03-04 02:53:50,557 [INFO] from play.api.Play in main - Application started (Prod) (no global state)
2023-03-04 02:53:51,529 [INFO] from play.core.server.AkkaHttpServer in main - Enabling HTTP/2 on Akka HTTP server...
2023-03-04 02:53:51,531 [INFO] from play.core.server.AkkaHttpServer in main - Listening for HTTP on /0:0:0:0:0:0:0:0:9001

and indexes is not created in elasticsearch.

Steps to Reproduce

  1. Install cortex using apt from cortex repository
  2. Configure cortex with following configuration
  3. Import crt file from elasticsearch and convert to jks format: keytool -import -alias ca -file elasticsearch.crt -keystore elasticsearch.jks
  4. Put elasticsearch.jks to /etc/cortex/certs/elasticsearch.jks (I create directory certs inside cortex directory)
  5. Config cortex (/etc/cortex/application) with following lines:
    ....(snip)
    search {
    index = cortex
    uri = "https://x.x.x.x:9200"
    user = ""
    password = ""
    ssl.enabled = "true"

keyStore {
path = "/etc/cortex/certs/elasticsearch.jks"
type = "JKS" # or PKCS12
password = "xxx"
}
trustStore {
path = "/etc/cortex/certs/elasticsearch.jks"
type = "JKS" # or PKCS12
password = "xxx"
}
}

....(snip)
7. Start cortex : systemctl start cortex
8. Check log: tail -f /var/log/cortex/application.log and got warn above.

Possible Solutions

Can you please add feature to disable hostname verification and allow self sign certificate like what already done with TheHive (I run TheHive with ES SSL and is running well).

Complementary information
@srt180
Copy link

srt180 commented Aug 2, 2023

same here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@srt180 @kalpinus