Calling Elasticsearch/X-Pack API from node js application

security

(Vigneshr35) #1

Hi Team,

I have developed a node js service that will call Elasticsearch APIs to perform various operations like creating roles, creating users, establish user-role mapping etc. The Elasticsearch instance has been configured so as to enable HTTPS to access Elasticsearch APIs.

When my application calls the API, the below shown error message is seen

{ Error: unable to verify the first certificate
at TLSSocket. (_tls_wrap.js:1103:38)
at emitNone (events.js:106:13)
at TLSSocket.emit (events.js:208:7)
at TLSSocket._finishInit (_tls_wrap.js:637:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:467:38) code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }
{ Error: socket hang up
at createHangUpError (_http_client.js:331:15)

Here are the request options for the API call from my node application.
Please let me know if key, cert and ca are the only required options to be added ?

var optionspost = {
host: utilities.elastic.host,
path: utilities.elasticAPIS.createUserRole+roleName,
port: utilities.elastic.port,
method: 'PUT',
key: <path_to_elasticsearch_client_key>, encoding),
cert: <path_to_elasticsearch_client_cert>, encoding),
ca: HPECAs.All_HPE_CAs,
headers: postheaders
};

The SSL configurations in elasticsearch.yml are as follows:

xpack.ssl.certificate: <path_to_elasticsearch>/config/certificates/server.crt
xpack.ssl.key: <path_to_elasticsearch>/config/certificates/server.key
xpack.ssl.certificate_authorities: ["<path_to_elasticsearch>/elasticsearch/config/certificates/ca1.cer","<path_to_elasticsearch>/elasticsearch/config/certificates/ca2.cer"]

Please confirm if-

  1. The value of 'key' in my application's request options should be the path for the same server key that is configured in xpack.ssl.key ?
  2. The value of 'cert' in my application's request options should be the path for the same server cert that is configured in xpack.ssl.certificate ?
  3. The value of 'ca' in my application's request options should be the path for the ca's configured in xpack.ssl.certificate_authorities ?

Thank you,
Vignesh Ravi


(Tim Vernum) #2

It looks like your node client does not trust the certificate provided by the Elasticsearch HTTP service.

And what are you doing with these options? What client library are you using, and what API are you passing the options to?

ca: HPECAs.All_HPE_CAs

Is that the same set of CAs as you use in your elasticsearch config?

I can't really answer these without knowing what you are doing with the request options, but...

No, almost certainly not.
You only want to provide a certificate and key in your client if your cluster is enforcing client certificates for the Rest interface (which is typically not the case).
If it is, then you want each client to have its own certificate and key, you shouldn't reuse the servers certificate for client authentication.
Otherwise, just don't configure a client certificate/key.

It should be the path to local copies of those same files.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.