Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Could not connect with self sign certificate of elasticsearch #173
I tried to connect to a elasticsearch in openshft aggregate logging with self sign certificate. It is not connecting. I tried to connect with curl, it work with -k option to bypass the verification of certificate. If I try without -k option than it give the ssl verification error.
curl performs SSL certificate verification by default, using a "bundle"
my config.php setting are:-
Hi Kiwiz, Thanks for your reply. I have this SSl certificate. As I mentioned that I can access access it through CURL and if the certificate was not proper earlier, it was giving error something like bundle CA not found in elasticsearch logs. Now it don't show any logs at elasticsearch.
I am trying to access a elasticsearch server deployed by EFK aggregate logging in openshift origin 3.5.
So I made a bundle certificate of secret in a single file in order cert + key + ca. I tried to use the different user secret certificate but still the same issue. I also tried to use older version of etsy/411 1.3 but it is still the same issue. I am getting the same error shown in image. If you will see config.php setting above, it is using ssl_cert option with full path of cert file.
Is there any method by which I can check the connectivity to elasticsearch from 411 app and trace the logs?
The relevant line is here: https://github.com/etsy/411/blob/master/phplib/Search/Elasticsearch.php#L153, via
This link might also help: https://www.elastic.co/guide/en/elasticsearch/client/php-api/current/_security.html.
Thanks Kiwiz, apologize for late response. I don't have knowledge of php and try to search a lot of docs ut little confused to used.
HI Kiwiz, I tried to build a test script to test connectivity but still getting the same error.
geetting the same error
if I tried this same cert with curl it works fine with -k option
What could be the issue.
Issue was due to authentication error. let me describe it in details if someone else face this issue can be solved it easily.
Requirements were to integrate etsy/411 alert tools with elasticsearch v2.4.4 installed by aggregate logging in Openshift Origin setup to keep records of all the logs of Openshift infrastructure.
Problem: In aggregate logging in openshift, elasticsearch is setup with authentication with secret created in logging project on https URL. We can access elasticsearch with secrets keys,cert and ca cert only. I was able to access elasticsearch on https with these cert keys files with curl command with -k option, due to self sign certificates in openshift.
I was trying to create a bundle cert file by copying key+cert+ca in a single file of the elasticsearch user secret with ssl_cert option as mentioned in docs of etsy/411. But I was able to access it from etsy/411 web app.
Then I search on elasticsearch/php module https://github.com/elastic/elasticsearch-php on github for some help. There some one was asking to use key and cert file to pass authentication in build-connection then some reply to use
above two option for cert and key files and ->setSSLVerification($myCa) option is for CA certificate verification. Then I figure out that we are passing ->setSSLVerification($ssl_cert) only in etsy/411 which is for ca cert only and we are missing the client cert and key file for authentication. Thanks for @kiwiz to point me right direction in above comments.
Then I made the below change in two files and it start authenticating to elasticsearch.
Change in /var/www/411/phplib/Search/Elasticsearch.php
Changes in /var/www/411/phplib/ESClient.php:
As shown above in both the above files I added the option for setSSLCert and setSSLkey option for client cert and key files.
Now it is working nicely now.