New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Could not connect with self sign certificate of elasticsearch #173

Closed
aaryabhatt opened this Issue Dec 11, 2017 · 9 comments

Comments

Projects
None yet
2 participants
@aaryabhatt

aaryabhatt commented Dec 11, 2017

Hi,

I tried to connect to a elasticsearch in openshft aggregate logging with self sign certificate. It is not connecting. I tried to connect with curl, it work with -k option to bypass the verification of certificate. If I try without -k option than it give the ssl verification error.
see this.
`root@logging-elastalert:/var/www/411# curl -XGET -k --cert cert "https://logging-es:9200/"
{
"name" : "logging-es-data-master-0v7g47an",
"cluster_name" : "logging-es",
"cluster_uuid" : "BRhd6zhNSGCg9SR7JZRSeQ",
"version" : {
"number" : "2.4.4",
"build_hash" : "fcbb46dfd45562a9cf00c604b30849a6dec6b017",
"build_timestamp" : "2017-01-03T11:33:16Z",
"build_snapshot" : false,
"lucene_version" : "5.5.2"
},
"tagline" : "You Know, for Search"
}
root@logging-elastalert:/var/www/411# curl -XGET --cert cert "https://logging-es:9200/"
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
`
I got the below error.
3rd

my config.php setting are:-
# Configuration for the 411 Alerts index. 'alerts' => [ 'hosts' => ['https://logging-es:9200'], 'index_hosts' => [], 'ssl_cert' => "/var/www/411/cert", //'ssl_cert' => null, 'index' => null, 'date_based' => false, 'date_interval' => null, 'date_field' => 'alert_date', 'date_type' => null, 'src_url' => null, ], # Configuration for the logstash index that 411 queries. 'operation' => [ 'hosts' => ['https://logging-es:9200'], 'index_hosts' => [], // 'ssl_cert' => null, 'ssl_cert' => "/var/www/411/cert", 'index' => '[.operations.]Y.m.d', 'date_based' => false, 'date_interval' => 'd', 'date_field' => '@timestamp', 'date_type' => null, 'src_url' => null, ],
How I can use ssl not verify option in setting of config.php.

Thanks.

@kiwiz

This comment has been minimized.

Collaborator

kiwiz commented Dec 15, 2017

Do you have a copy of the certificate? Passing it in the ssl_cert option should do the job.

@aaryabhatt

This comment has been minimized.

aaryabhatt commented Dec 16, 2017

Hi Kiwiz, Thanks for your reply. I have this SSl certificate. As I mentioned that I can access access it through CURL and if the certificate was not proper earlier, it was giving error something like bundle CA not found in elasticsearch logs. Now it don't show any logs at elasticsearch.

I am trying to access a elasticsearch server deployed by EFK aggregate logging in openshift origin 3.5.
Which used the key based authentication for elasticsearch.

So I made a bundle certificate of secret in a single file in order cert + key + ca. I tried to use the different user secret certificate but still the same issue. I also tried to use older version of etsy/411 1.3 but it is still the same issue. I am getting the same error shown in image. If you will see config.php setting above, it is using ssl_cert option with full path of cert file.

Is there any method by which I can check the connectivity to elasticsearch from 411 app and trace the logs?

@kiwiz

This comment has been minimized.

Collaborator

kiwiz commented Dec 22, 2017

The relevant line is here: https://github.com/etsy/411/blob/master/phplib/Search/Elasticsearch.php#L153, via setSSLVerification. Can you test your bundle with a minimal script?

This link might also help: https://www.elastic.co/guide/en/elasticsearch/client/php-api/current/_security.html.

@aaryabhatt

This comment has been minimized.

aaryabhatt commented Dec 30, 2017

Thanks Kiwiz, apologize for late response. I don't have knowledge of php and try to search a lot of docs ut little confused to used.
I tried the bundle cert with curl and it works fine from same container. It would be great help if you can help me set this test script environment in that container.

root@logging-elastalert:/var/www/411# curl -XGET -k --cert cert.pem "https://logging-es:9200/_cat/indices?v" health status index pri rep docs.count docs.deleted store.size pri.store.size green open elastalert_status 1 0 0 0 159b 159b green open .operations.2017.12.06 1 0 22216489 0 6.3gb 6.3gb green open .operations.2017.12.05 1 0 22132281 0 6.3gb 6.3gb green open .operations.2017.12.08 1 0 22186730 0 6.3gb 6.3gb green open .operations.2017.12.07 1 0 22122240 0 6.3gb 6.3gb green open .searchguard.logging-es-data-master-0v7g47an 1 0 5 0 33kb 33kb

@aaryabhatt

This comment has been minimized.

aaryabhatt commented Dec 30, 2017

HI Kiwiz, I tried to build a test script to test connectivity but still getting the same error.
my php script

<?php
require 'vendor/autoload.php';

$hosts = ['https://logging-es:9200'];
$myCert = '/var/www/411/cert.pem';
$client = Elasticsearch\ClientBuilder::create()
	                    ->setHosts($hosts)
	                    ->setSSLVerification($myCert)
			    ->build();
$params = [
		        'index' => '.operations.2017.12.06',
		        'type' => 'com.redhat.viaq.common',
		        'id' => 'AWAqLKx4unTnyFKFOn8j'
			];
$response = $client->get($params);
echo $response['_source']['MACHINE_ID'];

geetting the same error

root@logging-elastalert:~/elastic_php# php index.php 

Fatal error: Uncaught Elasticsearch\Common\Exceptions\BadRequest400Exception in /root/elastic_php/vendor/elasticsearch/elasticsearch/src/Elasticsearch/Connections/Connection.php:681
Stack trace:
#0 /root/elastic_php/vendor/elasticsearch/elasticsearch/src/Elasticsearch/Connections/Connection.php(640): Elasticsearch\Connections\Connection->tryDeserializeError(Array, 'Elasticsearch\\C...')
#1 /root/elastic_php/vendor/elasticsearch/elasticsearch/src/Elasticsearch/Connections/Connection.php(561): Elasticsearch\Connections\Connection->tryDeserialize400Error(Array)
#2 /root/elastic_php/vendor/elasticsearch/elasticsearch/src/Elasticsearch/Connections/Connection.php(262): Elasticsearch\Connections\Connection->process4xxError(Array, Array, Array)
#3 /root/elastic_php/vendor/react/promise/src/FulfilledPromise.php(25): Elasticsearch\Connections\Connection->Elasticsearch\Connections\{closure}(Array)
#4 /root/elastic_php/vendor/guzzlehttp/ringphp/src/Future/CompletedFutureValue.php(55): React\Promise\FulfilledPromise->then(Object(Closu in /root/elastic_php/vendor/elasticsearch/elasticsearch/src/Elasticsearch/Connections/Connection.php on line 681

if I tried this same cert with curl it works fine with -k option
see this

root@logging-elastalert:/var/www/411# curl -XGET -k --cert cert.pem "https://logging-es:9200/.operations.2017.12.06/com.redhat.viaq.common/AWAqLKx4unTnyFKFOn8j"
{"_index":".operations.2017.12.06","_type":"com.redhat.viaq.common","_id":"AWAqLKx4unTnyFKFOn8j","_version":1,"found":true,"_source":{"systemd":{"t":{"MACHINE_ID":"e869c2e3006341c79743d1005f9c8281","BOOT_ID":"9a8eb5fcac8843c2ae10ed2d4da48689","CAP_EFFECTIVE":"1fffffffff","CMDLINE":"/usr/bin/openshift start node --config=/etc/origin/node/node-config.yaml --loglevel=8","COMM":"openshift","EXE":"/usr/bin/openshift","GID":"0","HOSTNAME":"qadatanode2","PID":"9079","SELINUX_CONTEXT":"system_u:system_r:init_t:s0","SYSTEMD_CGROUP":"/system.slice/origin-node.service","SYSTEMD_SLICE":"system.slice","SYSTEMD_UNIT":"origin-node.service","TRANSPORT":"stdout","UID":"0"},"u":{"SYSLOG_FACILITY":"3","SYSLOG_IDENTIFIER":"origin-node"}},"hostname":"qadatanode2","message":"00000160  6e 65 74 65 73 2e 69 6f  2f 6f 73 12 05 6c 69 6e  |netes.io/os..lin|","pipeline_metadata":{"collector":{"ipaddr4":"10.131.2.36","ipaddr6":"fe80::2895:c4ff:fe58:c136","inputname":"fluent-plugin-systemd","name":"fluentd openshift","received_at":"2017-12-06T04:49:39.000000+00:00","version":"0.12.37 1.6.0"}},"level":"info","@timestamp":"2017-12-06T04:49:39.000000+00:00"}}

What could be the issue.

@aaryabhatt

This comment has been minimized.

aaryabhatt commented Jan 1, 2018

Issue was due to authentication error. let me describe it in details if someone else face this issue can be solved it easily.

Requirements were to integrate etsy/411 alert tools with elasticsearch v2.4.4 installed by aggregate logging in Openshift Origin setup to keep records of all the logs of Openshift infrastructure.

Problem: In aggregate logging in openshift, elasticsearch is setup with authentication with secret created in logging project on https URL. We can access elasticsearch with secrets keys,cert and ca cert only. I was able to access elasticsearch on https with these cert keys files with curl command with -k option, due to self sign certificates in openshift.

I was trying to create a bundle cert file by copying key+cert+ca in a single file of the elasticsearch user secret with ssl_cert option as mentioned in docs of etsy/411. But I was able to access it from etsy/411 web app.

Then I search on elasticsearch/php module https://github.com/elastic/elasticsearch-php on github for some help. There some one was asking to use key and cert file to pass authentication in build-connection then some reply to use

->setSSLCert($myCert)
->setSSLKey($mykey)

above two option for cert and key files and ->setSSLVerification($myCa) option is for CA certificate verification. Then I figure out that we are passing ->setSSLVerification($ssl_cert) only in etsy/411 which is for ca cert only and we are missing the client cert and key file for authentication. Thanks for @kiwiz to point me right direction in above comments.

Then I made the below change in two files and it start authenticating to elasticsearch.

Change in /var/www/411/phplib/Search/Elasticsearch.php

        if(!is_null($cfg['ssl_ca'])) {
            $cb->setSSLVerification($cfg['ssl_ca']);
        }
        if(!is_null($cfg['ssl_cert'])) {
                            $cb->setSSLCert($cfg['ssl_cert']);
        }
        if(!is_null($cfg['ssl_key'])) {
                            $cb->setSSLKey($cfg['ssl_key']);
        }

Changes in /var/www/411/phplib/ESClient.php:

  if(!is_null($escfg['ssl_ca'])) {
            $cb->setSSLVerification($escfg['ssl_ca']);
        }
        if(!is_null($escfg['ssl_cert'])) {
            $cb->setSSLCert($escfg['ssl_cert']);
        }
        if(!is_null($escfg['ssl_key'])) {
            $cb->setSSLKey($escfg['ssl_key']);
        }

As shown above in both the above files I added the option for setSSLCert and setSSLkey option for client cert and key files.

My config.php

  # Configuration for the 411 Alerts index.
    'alerts' => [
        'hosts' => ['https://logging-es:9200'],
        'index_hosts' => [],
        'ssl_cert' => '/var/www/411/elscert.pem',
        'ssl_ca' => '/var/www/411/ca.pem',
        'ssl_key' => '/var/www/411/elskey.key',
        'index' => null,
        'date_based' => false,
        'date_interval' => null,
        'date_field' => 'alert_date',
        'date_type' => null,
        'src_url' => null,
    ],
    # Configuration for the logstash index that 411 queries.
    'logstash' => [
        'hosts' => ['https://logging-es:9200'],
        'index_hosts' => [],
        'ssl_cert' => '/var/www/411/elscert.pem',
        'ssl_ca' => '/var/www/411/ca.pem',
        'ssl_key' => '/var/www/411/elskey.key',
//        'index' => '[.operations.]Y.m.d',
        'index' => null,
        'date_based' => false,
        'date_interval' => 'd',
        'date_field' => '@timestamp',
        'date_type' => null,
        'src_url' => null,
    ],

Now it is working nicely now.

@aaryabhatt aaryabhatt closed this Jan 1, 2018

@kiwiz

This comment has been minimized.

Collaborator

kiwiz commented Jan 17, 2018

@aaryabhatt Could you submit a PR with these changes?

@kiwiz kiwiz reopened this Jan 17, 2018

@aaryabhatt

This comment has been minimized.

aaryabhatt commented Jan 19, 2018

Hi Kiwiz, I am on leave for some days will submit the PR after 24th of JAN.

@kiwiz

This comment has been minimized.

Collaborator

kiwiz commented Jul 31, 2018

Hi @aaryabhatt do you still want to submit a PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment