I have an Elasticsearch instance (version 9.1.0) running on docker. Everything works perfectly until tried to test the semantic search feature using ELSER model.
Here is my code (following the example in elastic.co blogpost)
```
def deploy_elser(self):
# download ELSER v2
self.es.ml.put_trained_model(model_id='.elser_model_2',
input={'field_names': ['text_field']})
# wait until ready
while True:
status = self.es.ml.get_trained_models(model_id='.elser_model_2',
include='definition_status')
if status['trained_model_configs'][0]['fully_defined']:
# model is ready
break
time.sleep(1)
# deploy the model
self.es.ml.start_trained_model_deployment(model_id='.elser_model_2')
# define a pipeline
self.es.ingest.put_pipeline(
id='elser-ingest-pipeline',
processors=[
{
'inference': {
'model_id': '.elser_model_2',
'input_output': [
{
'input_field': 'summary',
'output_field': 'elser_embedding',
}
]
}
}
]
)
Here is the error
Error: BadRequestError(400, 'illegal_argument_exception', 'Failed to load package metadata', javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
I ran the code you provided in kibana, but the error seems to be similar. Could it be that ssl certificate is not included in the docker-based installation?
{ "error": { "root_cause": [ { "type": "illegal_argument_exception", "reason": "Failed to load package metadata" } ], "type": "illegal_argument_exception", "reason": "Failed to load package metadata", "caused_by": { "type": "unchecked_i_o_exception", "reason": "javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", "caused_by": { "type": "s_s_l_handshake_exception", "reason": "(certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", "caused_by": { "type": "validator_exception", "reason": "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", "caused_by": { "type": "sun_cert_path_builder_exception", "reason": "unable to find valid certification path to requested target" } } } } }, "status": 400 }
The error comes from SSL verification when Elasticsearch tries to download the ELSER model. It usually happens due to missing CA certificates, an outdated Docker image, or network restrictions. Updating CA certs or adjusting elasticsearch.yml often resolves it. If you’re still facing the same issue, you can connect webkul.
I modified my elasticsearch.yml to include xpack.security.transport.ssl.enabled: true but the instance kept restarting so I have just removed it, the error went away and I noticed that the initial issue was from my license. Thanks all for your support.
{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "current license is non-compliant for [inference]",
"license.expired.feature": "inference"
}
],
"type": "security_exception",
"reason": "current license is non-compliant for [inference]",
"license.expired.feature": "inference"
},
"status": 403
}
This message indicates that you don’t have the right license level for this feature. You can activate a trial from Kibana directly or by calling Start a trial | Elasticsearch API documentation
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.