API Connect offloading to ElasticSearch Error

When attempting to offload to our ElasticSerach instance, we are seeing the following error:

[2024-04-03T20:00:32,154][INFO ][logstash.outputs.elasticsearch] Failed to perform request {:message=>"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", :exception=>Manticore::ClientProtocolException, :cause=>#<Java::JavaxNetSsl::SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target>}
 [2024-04-03T20:00:32,156][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"https://URL-HERE:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [https://URL-HERE:9200/][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}

Do I need a cacert reference?

How did you generate certificate?
Does Logstash have an access to it?
Can you try with ssl_verification_mode => 'none' (ssl_certificate_verification => false if you are using older than 11.14.0 plugin version)? and provide full debug level logs?

1 Like

I have a *.cer, *.key , and a *.pfx file.

I have not installed anything concerning a plugin. How do I determine the version?

To determine the plugins version, you can run bin/logstash-plugin list --verbose command (under the Logstash home dir) and find logstash-output-elasticsearch in the output list.

Please visit the plugin doc and set ssl_* params properly (ssl_enabled => true, ssl_certificate => path-to-your-.cer, ssl_key => path-to-your-cert.key, etc...)