Calling Elasticsearch/X-Pack API from node js application

vigneshr35 · October 28, 2018, 1:25pm

Hi Team,

I have developed a node js service that will call Elasticsearch APIs to perform various operations like creating roles, creating users, establish user-role mapping etc. The Elasticsearch instance has been configured so as to enable HTTPS to access Elasticsearch APIs.

When my application calls the API, the below shown error message is seen

{ Error: unable to verify the first certificate
at TLSSocket. (_tls_wrap.js:1103:38)
at emitNone (events.js:106:13)
at TLSSocket.emit (events.js:208:7)
at TLSSocket._finishInit (_tls_wrap.js:637:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:467:38) code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }
{ Error: socket hang up
at createHangUpError (_http_client.js:331:15)

Here are the request options for the API call from my node application.
Please let me know if key, cert and ca are the only required options to be added ?

var optionspost = {
host: utilities.elastic.host,
path: utilities.elasticAPIS.createUserRole+roleName,
port: utilities.elastic.port,
method: 'PUT',
key: <path_to_elasticsearch_client_key>, encoding),
cert: <path_to_elasticsearch_client_cert>, encoding),
ca: HPECAs.All_HPE_CAs,
headers: postheaders
};

The SSL configurations in elasticsearch.yml are as follows:

xpack.ssl.certificate: <path_to_elasticsearch>/config/certificates/server.crt
xpack.ssl.key: <path_to_elasticsearch>/config/certificates/server.key
xpack.ssl.certificate_authorities: ["<path_to_elasticsearch>/elasticsearch/config/certificates/ca1.cer","<path_to_elasticsearch>/elasticsearch/config/certificates/ca2.cer"]

Please confirm if-

The value of 'key' in my application's request options should be the path for the same server key that is configured in xpack.ssl.key ?
The value of 'cert' in my application's request options should be the path for the same server cert that is configured in xpack.ssl.certificate ?
The value of 'ca' in my application's request options should be the path for the ca's configured in xpack.ssl.certificate_authorities ?

Thank you,
Vignesh Ravi

TimV · October 29, 2018, 1:37am

It looks like your node client does not trust the certificate provided by the Elasticsearch HTTP service.

And what are you doing with these options? What client library are you using, and what API are you passing the options to?

ca: HPECAs.All_HPE_CAs

Is that the same set of CAs as you use in your elasticsearch config?

I can't really answer these without knowing what you are doing with the request options, but...

No, almost certainly not.
You only want to provide a certificate and key in your client if your cluster is enforcing client certificates for the Rest interface (which is typically not the case).
If it is, then you want each client to have its own certificate and key, you shouldn't reuse the servers certificate for client authentication.
Otherwise, just don't configure a client certificate/key.

It should be the path to local copies of those same files.

system · November 26, 2018, 1:42am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to create node certificate for Elasticsearch Elasticsearch elastic-stack-security	5	937	April 22, 2019
Elasticsearch SSL Certificate Invalid Elasticsearch elastic-stack-security	1	1203	September 8, 2020
SSL enabling the elasticsearch node library? Elasticsearch	1	392	July 6, 2017
Not able call SSL configured elasticsearch API from elasticsearch plugin Elasticsearch language-clients	6	358	July 14, 2021
ES 7.8 X-Pack not returning whole cert chain root ca, intermediate and server cert Elasticsearch elastic-stack-security	5	2129	September 2, 2020

Calling Elasticsearch/X-Pack API from node js application

Related topics