Cannot connect to ES with self signed certificates

[juhasev]

PHP Client - No alive nodes found in your cluster.

I am using Elastic Search 7.1 (Open Distro docker image) which comes pre-configured with self signed certificates. So according to the Elastic Search PHP docs I need to pass in root CA certificate so that Elastic Search client can verify SSL connection. So I copied the ca-root.pem from the docker image to my web server and pass it along to ClientBuilder.

$host = 'https://admin:admin@elasticsearch:9200';

$caBundle = './aws/dockerdevbox/certs/root-ca.pem';
        
$this->client = ClientBuilder::create()
   ->setHosts([$host])
   ->setSSLVerification($caBundle)
   ->build();

This results into an error:

Elasticsearch\Common\Exceptions\NoNodesAvailableException: No alive nodes found in your cluster.

By looking at the Elastic Search logs I see the following:

[elasticsearch] SSL Problem Received fatal alert: unknown_ca

But from the same host if I use curl and pass in the CA certificate we have no issues:

curl --cacert aws/dockerdevbox/certs/root-ca.pem -X GET "https://admin:admin@elasticsearch:9200/_cluster/health?pretty"
{
  "cluster_name" : "cluster",
  "status" : "yellow",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 210,
  "active_shards" : 210,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 202,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 50.970873786407765
}

I've tried everything, I am even tried with my own self signed certificates as opposed the ones shipped with the server and still the same results. I've literally been trying to get this working all day and this should be pretty straight forward so I am suspecting there is bug in the PHP client.

System details

• Operating System Linux
• PHP Version 7.2
• ES-PHP client version 7.0
• Elasticsearch version 7.1 (Open Distro)
• Docker image: amazon/opendistro-for-elasticsearch:1.1.0

[ezimuel]

@juhasev can you try to use elasticsearch-php 7.1.1 ? The 7.0.0 release has a bug on Client::setSSLVerification(), see #916.

[ezimuel]

@juhasev did you try to use 7.1.1+ ? Let me know, thanks.

[juhasev]

@ezimuel I have not yet as I have to shift gears. I will get back to this next week and I will let you know.

[juhasev]

@ezimuel Works perfectly now when passing setSSLVerification(false). I did not try with custom certificates.

[ezimuel]

@juhasev I did some more tests on my side and it works also passing the certificate. I'm closing the issue, ping me if you want to reopen it. Thanks!