Cloud-aws 2.3.1 authentication error when used for snapshots


#1

I'm currently using Elasticsearch 2.3.1 with the cloud-aws-2.3.1 plugin on a single node to evaluate snapshots to S3.

When I issue the curl -XPUT 'http://localhost:9200/_snapshot/s3_backups?pretty' -d '
{
"type" : "s3",
"settings": {
"bucket": "mySnapshots",
"endpoint": "storage.s3.inhouse.com",
"protocol": "https:",
"access_key": "xxxxxxxxxxxx",
"secret_key": "xxxxxxxxxxxx"
}
}
'

I get a "status" : 500 response returned.
"caused_by" : {
"type" : "creation_exception",
"reason" : "Guice creation errors:\n\n1) Error injection constructor, com.amazonaws.AmazonClientExcption: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target\n at org.elasticserach.repositories.s3.S3Repository\n while locating org.elasticsearch.repositories.REpository\n\n1 error:,
.
.
.

Essentially, the message appears to be telling me that it can't find the server certs. Since I don't have shield on the server, is there another property in the elasticsearch.yml file I am suppose to add the server certs to?

Thanks,
D


(David Pilato) #2

Can you replace protocol to "https"?


#3

Hmm, that sort of clears the problem of getting the 500 response. But now I get a
curl: (35) SSL connect error.

Since, I don't have shield on this instance. I'm not sure how or where I can add my server certs to it.

Thanks,

D


(David Pilato) #4

You get that doing what exactly?


#5

Sorry about that.

I issued the command:
curl -XPUT 'https://localhost:9200/_snapshot/s3_backups?pretty' -d @/tmp/register_s3.json

and the response is:
curl: (35) SSL connect error

I tried it like this to
curl -k -XPUT 'https://localhost:9200/_snapshot/s3_backups?pretty' -d @/tmp/register_s3.json

and the response is:
curl: (35) SSL connect error


(David Pilato) #6

But you don't have Shield as far as I know. So you can't call https://localhost:9200 but http://localhost:9200


#7

That's what I tough to. But you asked me if I could replace protocol to https. or did I mis-understand?


(David Pilato) #8

No I meant that instead of:

curl -XPUT 'http://localhost:9200/_snapshot/s3_backups?pretty' -d '{
  "type" : "s3",
  "settings": {
    "bucket": "mySnapshots",
    "endpoint": "storage.s3.inhouse.com",
    "protocol": "https:",
    "access_key": "xxxxxxxxxxxx",
    "secret_key": "xxxxxxxxxxxx"
  }
}'

You write:

curl -XPUT 'http://localhost:9200/_snapshot/s3_backups?pretty' -d '{
  "type" : "s3",
  "settings": {
    "bucket": "mySnapshots",
    "endpoint": "storage.s3.inhouse.com",
    "protocol": "https",
    "access_key": "xxxxxxxxxxxx",
    "secret_key": "xxxxxxxxxxxx"
  }
}'

#9

oh I see.

I removed the colon from:

"protocol": "https:",

to:

"protocol": "https"

and I get the same 500 response.


(David Pilato) #10

May be we have an issue with https support? It will require some days to test that I think.
Can you try with http in the meantime?

Also may be change the log level to DEBUG?


#11

I got it working :slight_smile:

I ended up adding the other S3 server to the cacerts in the java security file and restarting Elasticsearch.

yeah!


(David Pilato) #12

Great! May be it is worth adding that in our docs?
Wanna contribute some content?


#13

Sure, no problem.


(system) #14