Cloud-aws 2.3.1 authentication error when used for snapshots

Elastic Stack Elasticsearch
1

I'm currently using Elasticsearch 2.3.1 with the cloud-aws-2.3.1 plugin on a single node to evaluate snapshots to S3.

When I issue the curl -XPUT 'http://localhost:9200/_snapshot/s3_backups?pretty' -d '
{
"type" : "s3",
"settings": {
"bucket": "mySnapshots",
"endpoint": "storage.s3.inhouse.com",
"protocol": "https:",
"access_key": "xxxxxxxxxxxx",
"secret_key": "xxxxxxxxxxxx"
}
}
'

I get a "status" : 500 response returned.
"caused_by" : {
"type" : "creation_exception",
"reason" : "Guice creation errors:\n\n1) Error injection constructor, com.amazonaws.AmazonClientExcption: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target\n at org.elasticserach.repositories.s3.S3Repository\n while locating org.elasticsearch.repositories.REpository\n\n1 error:,
.
.
.

Essentially, the message appears to be telling me that it can't find the server certs. Since I don't have shield on the server, is there another property in the elasticsearch.yml file I am suppose to add the server certs to?

Thanks,
D

2

Can you replace protocol to "https"?

3

Hmm, that sort of clears the problem of getting the 500 response. But now I get a
curl: (35) SSL connect error.

Since, I don't have shield on this instance. I'm not sure how or where I can add my server certs to it.

Thanks,

D

4

You get that doing what exactly?

5

Sorry about that.

I issued the command:
curl -XPUT 'https://localhost:9200/_snapshot/s3_backups?pretty' -d @/tmp/register_s3.json

and the response is:
curl: (35) SSL connect error

I tried it like this to
curl -k -XPUT 'https://localhost:9200/_snapshot/s3_backups?pretty' -d @/tmp/register_s3.json

and the response is:
curl: (35) SSL connect error

6

But you don't have Shield as far as I know. So you can't call https://localhost:9200 but http://localhost:9200

7

That's what I tough to. But you asked me if I could replace protocol to https. or did I mis-understand?

8

No I meant that instead of:

curl -XPUT 'http://localhost:9200/_snapshot/s3_backups?pretty' -d '{
  "type" : "s3",
  "settings": {
    "bucket": "mySnapshots",
    "endpoint": "storage.s3.inhouse.com",
    "protocol": "https:",
    "access_key": "xxxxxxxxxxxx",
    "secret_key": "xxxxxxxxxxxx"
  }
}'

You write:

curl -XPUT 'http://localhost:9200/_snapshot/s3_backups?pretty' -d '{
  "type" : "s3",
  "settings": {
    "bucket": "mySnapshots",
    "endpoint": "storage.s3.inhouse.com",
    "protocol": "https",
    "access_key": "xxxxxxxxxxxx",
    "secret_key": "xxxxxxxxxxxx"
  }
}'
9

oh I see.

I removed the colon from:

"protocol": "https:",

to:

"protocol": "https"

and I get the same 500 response.

10

May be we have an issue with https support? It will require some days to test that I think.
Can you try with http in the meantime?

Also may be change the log level to DEBUG?

11

I got it working :slight_smile:

I ended up adding the other S3 server to the cacerts in the java security file and restarting Elasticsearch.

yeah!

12

Great! May be it is worth adding that in our docs?
Wanna contribute some content?

13

Sure, no problem.