Cloud-aws 2.3.1 authentication error when used for snapshots

weed101 · November 1, 2016, 8:17pm

I'm currently using Elasticsearch 2.3.1 with the cloud-aws-2.3.1 plugin on a single node to evaluate snapshots to S3.

When I issue the curl -XPUT 'http://localhost:9200/_snapshot/s3_backups?pretty' -d '
{
"type" : "s3",
"settings": {
"bucket": "mySnapshots",
"endpoint": "storage.s3.inhouse.com",
"protocol": "https:",
"access_key": "xxxxxxxxxxxx",
"secret_key": "xxxxxxxxxxxx"
}
}
'

I get a "status" : 500 response returned.
"caused_by" : {
"type" : "creation_exception",
"reason" : "Guice creation errors:\n\n1) Error injection constructor, com.amazonaws.AmazonClientExcption: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target\n at org.elasticserach.repositories.s3.S3Repository\n while locating org.elasticsearch.repositories.REpository\n\n1 error:,
.
.
.

Essentially, the message appears to be telling me that it can't find the server certs. Since I don't have shield on the server, is there another property in the elasticsearch.yml file I am suppose to add the server certs to?

Thanks,
D

dadoonet · November 1, 2016, 9:32pm

Can you replace protocol to "https"?

weed101 · November 2, 2016, 4:22pm

Hmm, that sort of clears the problem of getting the 500 response. But now I get a
curl: (35) SSL connect error.

Since, I don't have shield on this instance. I'm not sure how or where I can add my server certs to it.

Thanks,

D

dadoonet · November 2, 2016, 5:04pm

You get that doing what exactly?

weed101 · November 2, 2016, 5:58pm

Sorry about that.

I issued the command:
curl -XPUT 'https://localhost:9200/_snapshot/s3_backups?pretty' -d @/tmp/register_s3.json

and the response is:
curl: (35) SSL connect error

I tried it like this to
curl -k -XPUT 'https://localhost:9200/_snapshot/s3_backups?pretty' -d @/tmp/register_s3.json

and the response is:
curl: (35) SSL connect error

dadoonet · November 2, 2016, 6:11pm

But you don't have Shield as far as I know. So you can't call https://localhost:9200 but http://localhost:9200

weed101 · November 2, 2016, 6:14pm

That's what I tough to. But you asked me if I could replace protocol to https. or did I mis-understand?

dadoonet · November 2, 2016, 7:08pm

No I meant that instead of:

curl -XPUT 'http://localhost:9200/_snapshot/s3_backups?pretty' -d '{
  "type" : "s3",
  "settings": {
    "bucket": "mySnapshots",
    "endpoint": "storage.s3.inhouse.com",
    "protocol": "https:",
    "access_key": "xxxxxxxxxxxx",
    "secret_key": "xxxxxxxxxxxx"
  }
}'

You write:

curl -XPUT 'http://localhost:9200/_snapshot/s3_backups?pretty' -d '{
  "type" : "s3",
  "settings": {
    "bucket": "mySnapshots",
    "endpoint": "storage.s3.inhouse.com",
    "protocol": "https",
    "access_key": "xxxxxxxxxxxx",
    "secret_key": "xxxxxxxxxxxx"
  }
}'

weed101 · November 2, 2016, 7:51pm

oh I see.

I removed the colon from:

"protocol": "https:",

to:

"protocol": "https"

and I get the same 500 response.

dadoonet · November 2, 2016, 9:14pm

May be we have an issue with https support? It will require some days to test that I think.
Can you try with http in the meantime?

Also may be change the log level to DEBUG?

weed101 · November 2, 2016, 11:51pm

I got it working

I ended up adding the other S3 server to the cacerts in the java security file and restarting Elasticsearch.

yeah!

dadoonet · November 3, 2016, 4:33am

Great! May be it is worth adding that in our docs?
Wanna contribute some content?

weed101 · November 3, 2016, 11:26am

Sure, no problem.