Connecting to Elasticsearch via Python with SSL and client certificate --> CERTIFICATE_VERIFY_FAILED

I am finding an amazing lack of information on how exactly to configure this.

I am using ES 2.3.2 and Python 3.2.

My cluster is behind a reverse proxy, so I have an SSL endpoint that requires a client certificate.

  1. SSL is provided via a publicly signed certificate
  2. My client certificate is self-signed, and the root CA I used to sign it is installed on the server (and the certs are working fine in calls from my .NET api).

I am attempting to create my Elasticsearch client with:

client = Elasticsearch(hosts=[self.host], timeout=80, use_ssl=True, verify_certs=True, ca_certs=ssl_cert_chain, client_cert=cert_file_path, client_key=key_file_path)

I am trying to figure out exactly what should be supplied in the parameters. I am assuming that:

client_cert: This is a pem containing my client certificate
client_key: This is the RSA decrypted key for my client certificate

ca_certs: What exactly do I need here:
-- Do I need my certificate chain for the SSL cert so that the SSL connection can be created?
-- Or do I need to have the root CA that I used to self-sign my client certificcate?
-- Some combination of the two?

I can use:

openssl verify -CAfile [my root CA].pem [my client cert].pem

And it passes validation.

I have tried various inputs to ca_certs, but I am stuck on the following error when a request is actually issued:

Traceback (most recent call last):
  File "E:\Source\Repos\OfficeCustomerVoice\UserExperience\OCVClusteringWebAPI\env3\lib\site-packages\urllib3\connectionpool.py", line 578, in urlopen
    chunked=chunked)
  File "E:\Source\Repos\OfficeCustomerVoice\UserExperience\OCVClusteringWebAPI\env3\lib\site-packages\urllib3\connectionpool.py", line 351, in _make_request
    self._validate_conn(conn)
  File "E:\Source\Repos\OfficeCustomerVoice\UserExperience\OCVClusteringWebAPI\env3\lib\site-packages\urllib3\connectionpool.py", line 814, in _validate_conn
    conn.connect()
  File "E:\Source\Repos\OfficeCustomerVoice\UserExperience\OCVClusteringWebAPI\env3\lib\site-packages\urllib3\connection.py", line 289, in connect
    ssl_version=resolved_ssl_version)
  File "E:\Source\Repos\OfficeCustomerVoice\UserExperience\OCVClusteringWebAPI\env3\lib\site-packages\urllib3\util\ssl_.py", line 308, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "C:\Users\jthoni\AppData\Local\Continuum\Anaconda3-2-3\lib\ssl.py", line 365, in wrap_socket
    _context=self)
  File "C:\Users\jthoni\AppData\Local\Continuum\Anaconda3-2-3\lib\ssl.py", line 583, in __init__
    self.do_handshake()
  File "C:\Users\jthoni\AppData\Local\Continuum\Anaconda3-2-3\lib\ssl.py", line 810, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

What exactly needs to be passed through in order to communicate correctly?

Thanks!

Ping...

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.