I am finding an amazing lack of information on how exactly to configure this.
I am using ES 2.3.2 and Python 3.2.
My cluster is behind a reverse proxy, so I have an SSL endpoint that requires a client certificate.
- SSL is provided via a publicly signed certificate
- My client certificate is self-signed, and the root CA I used to sign it is installed on the server (and the certs are working fine in calls from my .NET api).
I am attempting to create my Elasticsearch client with:
client = Elasticsearch(hosts=[self.host], timeout=80, use_ssl=True, verify_certs=True, ca_certs=ssl_cert_chain, client_cert=cert_file_path, client_key=key_file_path)
I am trying to figure out exactly what should be supplied in the parameters. I am assuming that:
client_cert: This is a pem containing my client certificate
client_key: This is the RSA decrypted key for my client certificate
ca_certs: What exactly do I need here:
-- Do I need my certificate chain for the SSL cert so that the SSL connection can be created?
-- Or do I need to have the root CA that I used to self-sign my client certificcate?
-- Some combination of the two?
I can use:
openssl verify -CAfile [my root CA].pem [my client cert].pem
And it passes validation.
I have tried various inputs to ca_certs, but I am stuck on the following error when a request is actually issued:
Traceback (most recent call last):
File "E:\Source\Repos\OfficeCustomerVoice\UserExperience\OCVClusteringWebAPI\env3\lib\site-packages\urllib3\connectionpool.py", line 578, in urlopen
chunked=chunked)
File "E:\Source\Repos\OfficeCustomerVoice\UserExperience\OCVClusteringWebAPI\env3\lib\site-packages\urllib3\connectionpool.py", line 351, in _make_request
self._validate_conn(conn)
File "E:\Source\Repos\OfficeCustomerVoice\UserExperience\OCVClusteringWebAPI\env3\lib\site-packages\urllib3\connectionpool.py", line 814, in _validate_conn
conn.connect()
File "E:\Source\Repos\OfficeCustomerVoice\UserExperience\OCVClusteringWebAPI\env3\lib\site-packages\urllib3\connection.py", line 289, in connect
ssl_version=resolved_ssl_version)
File "E:\Source\Repos\OfficeCustomerVoice\UserExperience\OCVClusteringWebAPI\env3\lib\site-packages\urllib3\util\ssl_.py", line 308, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "C:\Users\jthoni\AppData\Local\Continuum\Anaconda3-2-3\lib\ssl.py", line 365, in wrap_socket
_context=self)
File "C:\Users\jthoni\AppData\Local\Continuum\Anaconda3-2-3\lib\ssl.py", line 583, in __init__
self.do_handshake()
File "C:\Users\jthoni\AppData\Local\Continuum\Anaconda3-2-3\lib\ssl.py", line 810, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)
What exactly needs to be passed through in order to communicate correctly?
Thanks!